Mailing List Archive

[clamav-users] CVE_2021_4034-9951522 false positives on node executables
Hi,

A recent scan of my system found 8 infected files. On closer inspection, these are all nodejs binaries, either installed through Homebrew or inside another app (e.g., Docker or Adobe). Clamav reports that they are infected with CVE_2021_4034-9951522.

As far as I can tell, CVE_2021_4034 is the pkexec privilege escalation bug. However, I could not find anything relating to nodejs. Also, the fact that multiple nodejs binaries on my system are infected, which are installed from different sources, leads me to believe that this is a false positive.

I am unsure what to do next. Should I upload this as a false positive to https://www.clamav.net/reports/fp? <https://www.clamav.net/reports/fp?>

Best,
Viktor
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
Hi there,

On Tue, 21 Jun 2022, Viktor Rosenfeld via clamav-users wrote:

> A recent scan of my system found 8 infected files. On closer
> inspection, these are all nodejs binaries, either installed through
> Homebrew or inside another app (e.g., Docker or Adobe). Clamav
> reports that they are infected with CVE_2021_4034-9951522.
>
> As far as I can tell, CVE_2021_4034 is the pkexec privilege
> scalation bug. However, I could not find anything relating to
> nodejs. Also, the fact that multiple nodejs binaries on my system
> are infected, which are installed from different sources, leads me
> to believe that this is a false positive.
>
> I am unsure what to do next. ...

Agreed there might be grounds to suspect a false positive, but I'd
suggest that first you upload anything which has been flagged as
suspicious to somewhere like Virustotal or Jotti's Virus Scan. Then
take a view. If ClamAV is in a minority of one, probably filing the
false positive report would be the next step.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
On Jun 20, 2022, at 3:28 PM, Viktor Rosenfeld via clamav-users <clamav-users@lists.clamav.net> wrote:
> Hi,
>
> A recent scan of my system found 8 infected files. On closer inspection, these are all nodejs binaries, either installed through Homebrew or inside another app (e.g., Docker or Adobe). Clamav reports that they are infected with CVE_2021_4034-9951522.
>
> As far as I can tell, CVE_2021_4034 is the pkexec privilege escalation bug. However, I could not find anything relating to nodejs. Also, the fact that multiple nodejs binaries on my system are infected, which are installed from different sources, leads me to believe that this is a false positive.
>
> I am unsure what to do next. Should I upload this as a false positive to https://www.clamav.net/reports/fp? <https://www.clamav.net/reports/fp?>
>
> Best,
> Viktor


Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.
Strangely, I was unable to determine when that signature was added to the ClamAV database as it's not listed on any of the update notices I receive on the [clamav-virusdb] list. Although it's a 2021 CVE, it wasn't reported by Red Hat until the end of January, so most certainly had to be added by ClamAV this year after that.

But here is the complex signature that is used for matching:

VIRUS NAME: Osx.Exploit.CVE_2021_4034-9951522-1
TDB: Engine:91-255,Target:9
LOGICAL EXPRESSION: (0&1&2&3&4)>1|(5|6|7|8)>3|(9|10|11)>1
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/usr/bin/pkexec
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
CMDTOEXECUTE=
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY=
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY_PORT=
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
GCONV_PATH=
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to execute pkexec
* SUBSIG ID 6
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write payload
* SUBSIG ID 7
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to make tmp dir
* SUBSIG ID 8
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write gconv module
* SUBSIG ID 9
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/exploit.go
* SUBSIG ID 10
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/payload/payload.go
* SUBSIG ID 11
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
payload.so

In checking with <https://nvd.nist.gov/vuln/detail/CVE-2021-4034 <https://nvd.nist.gov/vuln/detail/CVE-2021-4034>> there's a header note, apparently placed there on June 14, that says:
> This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary.
Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables [ In reply to ]
Hi,

> Am 21.06.2022 um 01:04 schrieb G.W. Haywood <clamav@jubileegroup.co.uk>:
>
> Agreed there might be grounds to suspect a false positive, but I'd
> suggest that first you upload anything which has been flagged as
> suspicious to somewhere like Virustotal or Jotti's Virus Scan. Then
> take a view. If ClamAV is in a minority of one, probably filing the
> false positive report would be the next step.

Thank you, Ged, for the suggestions. I did not know these sites, they are very useful!

I checked all of the files flagged on my system on both sites. On Jottiā€™s Virus Scan, all files were flagged by ClamAV. On Virustotal, only some of the files were flagged by ClamAV. Specifically, libnode.dylib files were flagged but node binaries were not flagged.

No other virus software flagged these files on either site.

I submitted a false positive report on the ClamAV website.

Cheers,
Viktor
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat