[clamav-users] MS Word Follina - CVE-2022-30190

Al Varnell alvarnell at mac.com
Thu Jun 9 13:50:47 UTC 2022 

Actually, there are two so far, added pm June 2 and 7:

% sigtool -f CVE_2022_30190-|sigtool --decode-sigs
VIRUS NAME: Win.Exploit.CVE_2022_30190-9951234-1
TDB: Engine:96-255,Container:CL_TYPE_OOXML_WORD,Target:7
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
targetmode="external"
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=9)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

VIRUS NAME: Win.Exploit.CVE_2022_30190-9951407-0
TDB: Engine:96-255,Container:CL_TYPE_OOXML_XL,Target:7
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
targetmode="external"
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=8)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

-Al-

> On Jun 9, 2022, at 5:16 AM, Vangelis Katsikaros via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> Hi
> 
> I am not a security person so I apologize if the question sounds stupid. I'd like to ask if there is a signature in the clamav DB to recognise Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote code execution vulnerability.
> 
> Regards
> Vangelis
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


         
Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary> - still your inbox, but smarter.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220609/d7ee8a08/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4376 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220609/d7ee8a08/attachment.bin>

More information about the clamav-users mailing list