Query Details

CURL High Severity Vulnerability

Curl CVE 2023 38545

Query

// List all devices that have curl installed or use curl.
let ProcessBasedDevices = DeviceProcessEvents
    | where Timestamp > ago(30d)
    | where ProcessCommandLine has "curl"
    | distinct DeviceId, DeviceName;
DeviceTvmSoftwareInventory
| where SoftwareName has "curl"
| extend SubVersion = tolong(substring(SoftwareVersion, 3))
| where SubVersion < 8.4
| join kind=fullouter ProcessBasedDevices on DeviceId
| extend Method = iff(isempty(SoftwareVersion), "Process", "Software Inventory")
| extend CombinedName = iff(isempty(DeviceName), DeviceName1, DeviceName)
| extend CombinedId = iff(isempty(DeviceId), DeviceId1, DeviceId)
| project CombinedId, CombinedName, Method, SoftwareName, SoftwareVersion, SoftwareVendor
// To only list unique devices (evidence is then not included)
//| distinct CombinedId, CombinedName

About this query

Explanation

This query is designed to help identify systems that are potentially vulnerable to a high-severity security issue in the curl software, specifically CVE-2023-38545. Here's a simple breakdown of what the query does:

  1. Identify Devices with Curl:

    • The first part of the query looks for devices that have executed the curl command in the past 30 days or have curl installed. It checks two sources:
      • Process-Based Devices: It searches through device process events to find any command lines that include "curl."
      • Software Inventory: It checks the software inventory for curl installations with a version number less than 8.4.
  2. Combine and Display Results:

    • It combines the results from both sources to ensure all devices with curl are listed, regardless of how they were identified.
    • The query then displays the device ID, device name, method of identification (either through process events or software inventory), software name, version, and vendor.
  3. Identify Vulnerable Devices:

    • The second part of the query focuses on identifying devices that have not been patched for the vulnerabilities CVE-2023-38545 and CVE-2023-38546. - It filters for devices with these vulnerabilities and lists their details, but it will only show results after the vulnerability data is indexed, which is expected after October 11th.

Overall, this query helps organizations proactively identify and manage devices that might be affected by the curl vulnerability, allowing them to take necessary actions before the official fix is released.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEventsDeviceTvmSoftwareInventoryDeviceTvmSoftwareVulnerabilities

Keywords

DevicesSoftwareVulnerabilities

Operators

let|where>ago()hasdistinctextendtolong()substring()<joinkind=fullouteroniff()isempty()projectin==

Actions

GitHub