From 1a7db05f27d54d4b4fcee153c0ca89557e543257 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Tue, 30 Jan 2024 09:40:44 -0700
Subject: [PATCH] New rule: body_cve_2023_5631.yml (#881)

Co-authored-by: ID Generator <hello@sublimesecurity.com>
Co-authored-by: Sam Scholten <sam@sublimesecurity.com>
---
 detection-rules/body_cve_2023_5631.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 detection-rules/body_cve_2023_5631.yml

diff --git a/detection-rules/body_cve_2023_5631.yml b/detection-rules/body_cve_2023_5631.yml
new file mode 100644
index 00000000000..71027366f83
--- /dev/null
+++ b/detection-rules/body_cve_2023_5631.yml
@@ -0,0 +1,24 @@
+name: "Body: CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG"
+description: "Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document."
+references:
+  - "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/"
+  - "https://nvd.nist.gov/vuln/detail/CVE-2023-5631"
+type: "rule"
+severity: "critical"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  and strings.ilike(body.html.raw, '*use href="data:image/svg+xml;base64,PHN2Zy*#*')
+  and not profile.by_sender().solicited
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Exploit"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Content analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+id: "8405d61b-4330-534e-b64c-f98ee15d8767"