Security

Html.Exploit.CVE_2017_11793-6336854-1 FOUND. What is it?

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install nginx, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

On all the servers that I manage, I make use of ClamAV with Malware detect signatures. Recent updates of the signatures resulted in multiple Javascript files triggering detection of Html.Exploit.CVE_2017_11793-6336854-1.

What is Html.Exploit.CVE_2017_11793-6336854-1

My initial research is through command line (as always):

sigtool --find-sigs=Html.Exploit.CVE_2017_11793-6336854-1 | sigtool --decode

Resulted in:

VIRUS NAME: Html.Exploit.CVE_2017_11793-6336854-1
TDB: Engine:55-255,Target:3
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
rangeerror
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
json.stringify
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
location.href{WILDCARD_ANY_STRING(LENGTH<=3)}location.href
Do you want a very secure server? We have what you want. Magento 2 PCI compliant server setup.

This isn’t really useful. Microsoft’s CVE page for the same proves more useful instead:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

How Html.Exploit.CVE_2017_11793-6336854-1 applies to a website

This security risk poses no threat to the web server itself. This risk only applies to your website visitors.

Javascript code in the files detected with this signature might cause Internet Explorer to be vulnerable should actual malware code exist in your file.

If you are sure that your file is legit, then there is no risk to website visitors.

Hot to mitigate Html.Exploit.CVE_2017_11793-6336854-1

As a website owner, you are at no risk and I’m sure you have no intention to exploit your visitor’s browser vulnerability. However, please make sure that the file matches to the one provided by your CMS before whitelisting it. See below for whitelisting commands.

Your visitors on the other hand, are advised to apply outstanding security updates for their Windows machines.

Whitelist Html.Exploit.CVE_2017_11793-6336854-1 signature

Since this security threat poses no risk for web servers, it makes sense to whitelist it in ClamAV if you are sure about the origin of your Javascript files.

Whitelist ClamAV Html.Exploit.CVE_2017_11793-6336854-1 signature in CentOS 7

echo 'Html.Exploit.CVE_2017_11793-6336854-1' >> /var/lib/clamav/local.ign2
chown clamscan:clamscan /var/lib/clamav/local.ign2
systemctl restart clamd@scan

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.