Query Details
CVE 2024 38063 CVSS 98 Prioritization
Query
// CVE-2024-38063 CVSS 9.8 Prioritization // Linkedin Post: https://www.linkedin.com/posts/0x534c_defenderxdr-exposuremanagement-mde-activity-7229516269274685443-fTwM/ // An attacker can remotely exploit this vulnerability by sending specially crafted IPv6 packets to a target host. No user interaction is needed, making it a ‘0-click’ vulnerability. Only IPv6 packets can be used to exploit this critical vulnerability. // It is important to identify privileged admin endpoints that are running IPv6 and are internet-facing. Prioritizing the patching of these endpoints is crucial, as they hold the keys to your systems. // Using DefenderXDR Exposure Management and Microsoft Defender for Endpoint schema information, we are able to determine these important group of endpoints to be prioritize for patching. let CriticalIdentities = ExposureGraphNodes | where set_has_element(Categories, "identity") | where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 | distinct NodeName; let CriticalDevices = ExposureGraphEdges | where EdgeLabel == @"can authenticate to" | join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId | extend DName = tostring(NodeProperties.rawData.deviceName) | extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin | where SourceNodeName has_any (CriticalIdentities) | distinct DName; let VulnerableCriticalDevices = DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2024-38063" | where DeviceName has_any (CriticalDevices) | distinct DeviceName; DeviceNetworkInfo | where Timestamp > ago(30d) | mv-expand todynamic(IPAddresses) | extend IP = tostring(IPAddresses.IPAddress) | where IPAddresses has "Public" and IP contains ":" // IPv6 Public Facing | where DeviceName has_any(VulnerableCriticalDevices) // Critical Devices // MSRC Security Updates (CVE-2024-38063) // Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 // #DefenderXDR #ExposureManagement #MDE #IPv6 #CriticalVulnerability
Explanation
This KQL query is designed to identify and prioritize patching for critical admin endpoints that are vulnerable to the CVE-2024-38063 vulnerability. Here's a simplified breakdown:
-
Identify Critical Identities:
- The query first identifies critical identities (users or entities) with a criticality level less than 4.
-
Identify Critical Devices:
- It then finds devices that these critical identities can authenticate to, specifically focusing on those where the user has local admin rights.
-
Find Vulnerable Devices:
- The query checks which of these critical devices are vulnerable to the CVE-2024-38063 vulnerability.
-
Filter for Internet-Facing IPv6 Devices:
- Finally, it filters these vulnerable devices to find those that have public-facing IPv6 addresses.
The result is a list of critical admin endpoints that are both vulnerable to the CVE-2024-38063 vulnerability and exposed to the internet via IPv6, which should be prioritized for patching.
Details
Steven Lim
Released: August 14, 2024
Tables
ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilitiesDeviceNetworkInfo
Keywords
DevicesIntuneUserNetworkSecurityVulnerability
Operators
let|whereset_has_elementisnotnulland<distinct==joinon$left==$rightextendtostringhas_anymv-expandtodynamiccontains>ago