CVE 2024 38063 CVSS 98 Prioritization
Query
// CVE-2024-38063 CVSS 9.8 Prioritization
// Linkedin Post: https://www.linkedin.com/posts/0x534c_defenderxdr-exposuremanagement-mde-activity-7229516269274685443-fTwM/
// An attacker can remotely exploit this vulnerability by sending specially crafted IPv6 packets to a target host. No user interaction is needed, making it a ‘0-click’ vulnerability. Only IPv6 packets can be used to exploit this critical vulnerability.
// It is important to identify privileged admin endpoints that are running IPv6 and are internet-facing. Prioritizing the patching of these endpoints is crucial, as they hold the keys to your systems.
// Using DefenderXDR Exposure Management and Microsoft Defender for Endpoint schema information, we are able to determine these important group of endpoints to be prioritize for patching.
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
let VulnerableCriticalDevices =
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-38063"
| where DeviceName has_any (CriticalDevices)
| distinct DeviceName;
DeviceNetworkInfo
| where Timestamp > ago(30d)
| mv-expand todynamic(IPAddresses)
| extend IP = tostring(IPAddresses.IPAddress)
| where IPAddresses has "Public" and IP contains ":" // IPv6 Public Facing
| where DeviceName has_any(VulnerableCriticalDevices) // Critical Devices
// MSRC Security Updates (CVE-2024-38063)
// Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
// #DefenderXDR #ExposureManagement #MDE #IPv6 #CriticalVulnerability
// MITRE ATT&CK Mapping
// T1078: Valid Accounts - Identifying critical accounts that could be targeted.
// T1078: Valid Accounts - Identifying devices that can be accessed using valid accounts.
// T1078.003: Local Accounts - Identifying local admin accounts on devices.
// T1190: Exploit Public-Facing Application - Identifying devices vulnerable to exploitation.
// T1049: System Network Connections Discovery - Identifying network connections.
// T1016: System Network Configuration Discovery - Identifying network configurations.
// This KQL query sequence is designed to identify critical identities and devices, determine their vulnerabilities, and find public-facing IPv6
// addresses. The associated MITRE ATT&CK techniques include Valid Accounts, Exploit Public-Facing Application, System Network Connections
// Discovery, and System Network Configuration Discovery.Explanation
This KQL query is designed to help prioritize the patching of critical systems that are vulnerable to a specific security flaw, CVE-2024-38063, which has a high severity score of 9.8. The vulnerability can be exploited remotely through specially crafted IPv6 packets without any user interaction, making it a significant threat.
Here's a simplified breakdown of the query:
-
Identify Critical Identities: The query first identifies important user accounts (identities) that have a high level of criticality within the system.
-
Identify Critical Devices: It then finds devices that these critical identities can authenticate to, especially focusing on those where the user has local admin rights.
-
Find Vulnerable Devices: The query checks which of these critical devices are vulnerable to the CVE-2024-38063 vulnerability.
-
Locate Public-Facing IPv6 Addresses: Finally, it identifies which of these vulnerable devices have public-facing IPv6 addresses, as these are the ones that could be exploited remotely.
The query uses data from DefenderXDR Exposure Management and Microsoft Defender for Endpoint to achieve this. It emphasizes the importance of patching these identified endpoints promptly to protect against potential attacks.
Additionally, the query is mapped to several MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. These include identifying valid accounts, exploiting public-facing applications, and discovering network connections and configurations.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators