* Jorge Bastos <mysql.jo...@decimal.pt>: > I think i got hit by CVE-2023-20032 [1], anyone knows how to indentify if > yes, and how to remove it?
How did you find out your were hit by CVE-2023-20032? To summarize what CVE-2023-20032 is: ==================================== "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition" I assume you use ClamAV for Mail scanning. This means somebody needs to send you an HFS+ partition file AS ATTACHMENT. This needs to be scanned by clamav. Did you find such incidents in your log (I assume you're logging attachment types)? > https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html Yes, it has been patched for quite some time yet. Did you install the patched version? > I have a lot of data passing clamsmtp that started two days ago, and i have > thousands of this every minute, but still didn't figured out where it is > being executed. > > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.bRD1ml: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(59b7bfb602fb2d583ffac90d71155fe0:618) > FOUND > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.yhhE0l: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(144eec09fe09ec3ecb66c5c1daab6da0:618) > FOUND > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.Hsneas: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(5c452a43ebfb8b4a5a3f67310d64e1f3:618) > FOUND > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.72Tre8: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(39a30e65fe97a7b95352f20f1fa2dbfc:618)> > FOUND These indicate that clamav found "sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720". What does this have to do with CVE-2023-20032? # sigtool --find-sigs=sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 | sigtool --decode-sig VIRUS NAME: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 DECODED SIGNATURE: ecpms.net So, this basically matches "ecpms.net" -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
