Mailing List Archive

* Jorge Bastos <mysql.jorge@decimal.pt>:

> I think i got hit by CVE-2023-20032 [1], anyone knows how to indentify if
> yes, and how to remove it?

How did you find out your were hit by CVE-2023-20032?

To summarize what CVE-2023-20032 is:
====================================

"An attacker could exploit this vulnerability by submitting a crafted
HFS+ partition file to be scanned by ClamAV on an affected device. A
successful exploit could allow the attacker to execute arbitrary code
with the privileges of the ClamAV scanning process, or else crash the
process, resulting in a denial of service (DoS) condition"

I assume you use ClamAV for Mail scanning. This means somebody needs
to send you an HFS+ partition file AS ATTACHMENT. This needs to be
scanned by clamav.

Did you find such incidents in your log (I assume you're logging attachment types)?

> https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

Yes, it has been patched for quite some time yet. Did you install the
patched version?

> I have a lot of data passing clamsmtp that started two days ago, and i have
> thousands of this every minute, but still didn't figured out where it is
> being executed.
>
> Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.bRD1ml: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(59b7bfb602fb2d583ffac90d71155fe0:618) FOUND
> Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.yhhE0l: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(144eec09fe09ec3ecb66c5c1daab6da0:618) FOUND
> Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.Hsneas: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(5c452a43ebfb8b4a5a3f67310d64e1f3:618) FOUND
> Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.72Tre8: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(39a30e65fe97a7b95352f20f1fa2dbfc:618)> FOUND

These indicate that clamav found "sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720".
What does this have to do with CVE-2023-20032?

# sigtool --find-sigs=sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 | sigtool --decode-sig
VIRUS NAME: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720
DECODED SIGNATURE:
ecpms.net

So, this basically matches "ecpms.net"

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebrandt@charite.de
https://www.charite.de
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat