Win.Exploit.CVE_2019_0903-6966169-0 FOUND

[WillemDH]

Hello,

Our weekly running ClamAV scan of our Nagios XI server reports the following since we updated our DR server to 5.6.2 from 5.5.7:

Code: Select all

/tmp/nagiosxi/subcomponents/nrpe/nrpe-3.2.1.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/ndoutils/ndoutils-2.1.3.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9.zip: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Bold/OpenSans-Bold.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Bold/OpenSans-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/ExtraBold/OpenSans-ExtraBold.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/ExtraBold/OpenSans-ExtraBold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Italic/OpenSans-Italic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Regular/OpenSans-Regular.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Regular/OpenSans-Regular.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/SemiboldItalic/OpenSans-SemiboldItalic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/subcomponents/nagioscore/nagios-4.4.3/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/SemiboldItalic/OpenSans-SemiboldItalic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/nagiosxi/basedir/html/includes/fonts/Roboto-Black-webfont.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/nagiosxi/basedir/html/includes/fonts/FontAwesome.otf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/licenses/jpgraph_bulk_license.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi/sourceguardian/SG_User_Manual.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/linux-nrpe-agent.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nrpe/nrpe-2.15.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/ndoutils/ndoutils-2.1.2.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9.zip: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Bold/OpenSans-Bold.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Bold/OpenSans-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/ExtraBold/OpenSans-ExtraBold.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/ExtraBold/OpenSans-ExtraBold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Italic/OpenSans-Italic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Regular/OpenSans-Regular.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/Regular/OpenSans-Regular.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/SemiboldItalic/OpenSans-SemiboldItalic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/subcomponents/nagioscore/nagios-4.2.4/html/angularjs/angular-1.3.9/docs/components/open-sans-fontface-1.0.4/fonts/SemiboldItalic/OpenSans-SemiboldItalic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/nagiosxi/basedir/html/includes/fpdf/pdftable/example3.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/nagiosxi/basedir/html/includes/fpdf/pdftable/example2.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/nagiosxi/basedir/html/includes/fonts/Roboto-Black-webfont.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/nagiosxi/basedir/html/includes/fonts/FontAwesome.otf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/licenses/jpgraph_bulk_license.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/nagiosxi.tmp/sourceguardian/SG_User_Manual.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/xicomponents_backup/alertstream/.svn/text-base/AlertStream.jar.svn-base: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/xicomponents_backup/alertstream/AlertStream.jar: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/xicomponents_backup/jpgraph/src/fonts/DejaVuSans-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/xicomponents_backup/pchart/Fonts/MankSans.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/linux-nrpe-agent/subcomponents/nrpe/nrpe-3.2.1.tar.gz: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/tmp/linux-nrpe-agent/subcomponents/nrpe/nrpe-3.2.1/docs/NRPE.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/doc/python-babel-0.9.6/doc/logo.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/ghostscript/9.07/Resource/CIDFSubst/DroidSansFallback.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/lyx/rsfs10.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/lyx/stmary10.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/dejavu/DejaVuSans-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/dejavu/DejaVuSans-ExtraLight.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/dejavu/DejaVuSansCondensed-BoldOblique.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/dejavu/DejaVuLGCSansMono.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/dejavu/DejaVuLGCSans-ExtraLight.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/dejavu/DejaVuLGCSans.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/dejavu/DejaVuLGCSansCondensed-Oblique.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/ipa-gothic/ipag.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/fonts/ipa-pmincho/ipamp.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/Bold/OpenSans-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/ExtraBold/OpenSans-ExtraBold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/Italic/OpenSans-Italic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/Regular/OpenSans-Regular.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/share/httpd/noindex/css/fonts/SemiboldItalic/OpenSans-SemiboldItalic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/tmp/component-alertstream.zip: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/fonts/Roboto-Black-webfont.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/fonts/FontAwesome.otf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/components/alertstream/.svn/text-base/AlertStream.jar.svn-base: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/components/alertstream/AlertStream.jar: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/components/jpgraph/src/fonts/DejaVuSans-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/components/pchart/Fonts/MankSans.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/fpdf/pdftable/example2.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/usr/local/nagiosxi/html/includes/fpdf/pdftable/example3.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND 

It seems like a false positive, but even if its, this should be whitelisted and verified asap imho? See https://www.clamav.net/reports/fp

Grtz

Willem

[benjaminsmith]

Hi @WillemDH,

Yes, we're quite certain that is a false positive since it is Windows file it's picking up. I submitted a report to ClamAV from the link provided.

Thank you for letting us know.