Query Details

CVE 2024 29510 Ghostscript Library RCE Bug Exploited

Query

// CVE-2024-29510 Ghostscript library RCE bug Exploited
// https://www.linkedin.com/posts/activity-7216125838516178945-R-rj/

// Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. Ghostscript comes pre-installed on many Linux distributions and is used by various document conversion software.

// MDE KQL to check impacted Windows/Linux workstations:

DeviceTvmSoftwareInventory
| where SoftwareName contains "ghostscript" and SoftwareVersion != "10.03.1"

// MITRE ATT&CK Mapping
// This query aligns with the following MITRE ATT&CK techniques:

// T1082 - System Information Discovery: Attackers may use this technique to gather information about the software installed on a system, which can include identifying outdated or vulnerable versions1.
// T1518.001 - Software Discovery: This technique involves adversaries attempting to identify software installed on a system, which can help them understand the environment and identify potential targets2.
// By identifying devices with outdated versions of “ghostscript,” this query helps in detecting potential vulnerabilities that adversaries might exploit.

Explanation

This query is designed to identify computers that might be vulnerable to a specific security issue in the Ghostscript library, known as CVE-2024-29510. This vulnerability allows attackers to execute arbitrary code by exploiting a memory corruption flaw and bypassing security measures in Ghostscript versions before 10.03.1. Ghostscript is commonly found on many Linux systems and is used by various document conversion tools.

The query checks the software inventory of devices to find any that have Ghostscript installed with a version other than 10.03.1, which is the patched version. This helps in identifying systems that might be at risk.

Additionally, the query aligns with certain MITRE ATT&CK techniques:

  • T1082: System Information Discovery, where attackers gather information about installed software to find outdated or vulnerable versions.
  • T1518.001: Software Discovery, where adversaries identify software on a system to understand the environment and find potential targets.

By running this query, organizations can detect devices with outdated Ghostscript versions and take steps to mitigate the risk of exploitation.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceTvmSoftwareInventory

Keywords

DeviceTvmSoftwareInventory

Operators

contains!=|where

MITRE Techniques

Actions

GitHub