Mailing List Archive: MS Word Follina

MS Word Follina - CVE-2022-30190

Jun 9, 2022, 5:16 AM

Post #1 of 4 (351 views)

Hi

I am not a security person so I apologize if the question sounds stupid.
I'd like to ask if there is a signature in the clamav DB to recognise
Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote
code execution vulnerability.

Regards
Vangelis

Re: MS Word Follina - CVE-2022-30190 [ In reply to ]

clamav-users at lists

Jun 9, 2022, 6:29 AM

Post #2 of 4 (351 views)

Permalink

Hi there,

On Thu, 9 Jun 2022, Vangelis Katsikaros via clamav-users wrote:

> I am not a security person so I apologize if the question sounds stupid.

It doesn't sound stupid. :)

> I'd like to ask if there is a signature in the clamav DB to recognise
> Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote
> code execution vulnerability.

This particular vulnerability is worrying because it can be exploited
even if the user does not enable Word macros. It can be exploited by
things other than Word documents, e.g. just a link in an email:

https://forum.eset.com/topic/32571-ms-word-follina-exploit-not-detected/

So as you can imagine it's unlikely that a single signature will be
able to provide complete protection.

At the moment I know of no ClamAV 'official' signature which addresses
the issue in any way at all. I imagine people are working on it.

My take on it is that if it's a Word document, a Rich Text File, RAR,
ZIP, TGZ and a whole bunch of other things, then no matter what you
claim it is, I don't want it. Links are treated with great suspicion.
The milters here reflect those views, and have done for many years.

There are mitigations for the vulnerability:

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

In the absence of a fix from Microsoft that's your best bet I think
but read my first link first.

It would not be wise to rely on anti-virus techniques for protection
if there's any risk that a user might open a malicious document (or
click a malicious link) before it is known to be safe. A null scan
result does not mean it's known to be safe. It means the scanner
didn't find a threat, which does not mean that there are no threats
in there to be found.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: MS Word Follina - CVE-2022-30190 [ In reply to ]

clamav-users at lists

Jun 9, 2022, 6:50 AM

Post #3 of 4 (351 views)

Permalink

Actually, there are two so far, added pm June 2 and 7:

% sigtool -f CVE_2022_30190-|sigtool --decode-sigs
VIRUS NAME: Win.Exploit.CVE_2022_30190-9951234-1
TDB: Engine:96-255,Container:CL_TYPE_OOXML_WORD,Target:7
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
targetmode="external"
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=9)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

VIRUS NAME: Win.Exploit.CVE_2022_30190-9951407-0
TDB: Engine:96-255,Container:CL_TYPE_OOXML_XL,Target:7
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
targetmode="external"
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=8)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

-Al-

> On Jun 9, 2022, at 5:16 AM, Vangelis Katsikaros via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi
>
> I am not a security person so I apologize if the question sounds stupid. I'd like to ask if there is a signature in the clamav DB to recognise Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote code execution vulnerability.
>
> Regards
> Vangelis
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.

Re: MS Word Follina - CVE-2022-30190 [ In reply to ]

clamav-users at lists

Jun 9, 2022, 6:59 AM

Post #4 of 4 (351 views)

Permalink

On 9 June 2022 13:17:29 Vangelis Katsikaros via clamav-users
<clamav-users@lists.clamav.net> wrote:
> Hi
>
> I am not a security person so I apologize if the question sounds stupid.
> I'd like to ask if there is a signature in the clamav DB to recognise
> Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote
> code execution vulnerability.

I've added a few signatures into phish.ndb quite a few days ago to detect
Follina... including some of the poc versions that use pdf files.

There are some Follina sigs in the official signatures as well.

Hope this is a reassurance.

Cheers,

Steve
Twitter: @sanesecurity

Mailing List Archive

Mailing List Archive

Attached Files: