New rule: body_cve_2023_5631.yml

detection-rules/body_cve_2023_5631.yml

@@ -0,0 +1,24 @@
+name: "Body: CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG"
+description: "Body HTML contains an exploit for CVE-2023-5631, a vulnerability in Roundcube Webmail that allows stored XSS via an HTML e-mail message with a crafted SVG document."
+references:
+  - "https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/"
+  - "https://nvd.nist.gov/vuln/detail/CVE-2023-5631"
+type: "rule"
+severity: "critical"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  and strings.ilike(body.html.raw, '*use href="data:image/svg+xml;base64,PHN2Zy*#*')
+  and not profile.by_sender().solicited
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Exploit"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Content analysis"
+  - "HTML analysis"
+  - "Sender analysis"
+id: "8405d61b-4330-534e-b64c-f98ee15d8767"