Query Details
CVE 2024 29510 Ghostscript Library RCE Bug Exploited
Query
// CVE-2024-29510 Ghostscript library RCE bug Exploited // https://www.linkedin.com/posts/activity-7216125838516178945-R-rj/ // Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. Ghostscript comes pre-installed on many Linux distributions and is used by various document conversion software. // MDE KQL to check impacted Windows/Linux workstations: DeviceTvmSoftwareInventory | where SoftwareName contains "ghostscript" and SoftwareVersion != "10.03.1"
Explanation
This KQL (Kusto Query Language) query is designed to identify Windows and Linux workstations that have a vulnerable version of the Ghostscript library installed. Ghostscript is a software suite used for processing PDF and PostScript files, and versions before 10.03.1 have a known security vulnerability (CVE-2024-29510) that allows remote code execution (RCE) and bypassing of the SAFER sandbox.
Here's a simple breakdown of the query:
- Data Source: The query pulls data from the
DeviceTvmSoftwareInventorytable, which contains information about software installed on devices. - Filter Criteria:
- The software name must contain "ghostscript".
- The software version must not be "10.03.1" (indicating it is an older, vulnerable version).
In summary, this query helps identify devices that are at risk due to having an outdated and vulnerable version of Ghostscript installed.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceTvmSoftwareInventory
Keywords
DeviceTvmSoftwareInventory
Operators
|wherecontainsand!=