CURL High Severity Vulnerability
Curl CVE 2023 38545
Query
// List all devices that have curl installed or use curl.
let ProcessBasedDevices = DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has "curl"
| distinct DeviceId, DeviceName;
DeviceTvmSoftwareInventory
| where SoftwareName has "curl"
| extend SubVersion = tolong(substring(SoftwareVersion, 3))
| where SubVersion < 8.4
| join kind=fullouter ProcessBasedDevices on DeviceId
| extend Method = iff(isempty(SoftwareVersion), "Process", "Software Inventory")
| extend CombinedName = iff(isempty(DeviceName), DeviceName1, DeviceName)
| extend CombinedId = iff(isempty(DeviceId), DeviceId1, DeviceId)
| project CombinedId, CombinedName, Method, SoftwareName, SoftwareVersion, SoftwareVendor
// To only list unique devices (evidence is then not included)
//| distinct CombinedId, CombinedNameAbout this query
Explanation
This query is designed to help identify systems that are potentially vulnerable to a high-severity security issue in the curl software, specifically CVE-2023-38545. Here's a simple breakdown of what the query does:
-
Identify Devices with Curl:
- The first part of the query looks for devices that have executed the curl command in the past 30 days or have curl installed. It checks two sources:
- Process-Based Devices: It searches through device process events to find any command lines that include "curl."
- Software Inventory: It checks the software inventory for curl installations with a version number less than 8.4.
- The first part of the query looks for devices that have executed the curl command in the past 30 days or have curl installed. It checks two sources:
-
Combine and Display Results:
- It combines the results from both sources to ensure all devices with curl are listed, regardless of how they were identified.
- The query then displays the device ID, device name, method of identification (either through process events or software inventory), software name, version, and vendor.
-
Identify Vulnerable Devices:
- The second part of the query focuses on identifying devices that have not been patched for the vulnerabilities CVE-2023-38545 and CVE-2023-38546. - It filters for devices with these vulnerabilities and lists their details, but it will only show results after the vulnerability data is indexed, which is expected after October 11th.
Overall, this query helps organizations proactively identify and manage devices that might be affected by the curl vulnerability, allowing them to take necessary actions before the official fix is released.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceProcessEventsDeviceTvmSoftwareInventoryDeviceTvmSoftwareVulnerabilities
Keywords
DevicesSoftwareVulnerabilities
Operators
let|where>ago()hasdistinctextendtolong()substring()<joinkind=fullouteroniff()isempty()projectin==