KQL Search

Query Details

HomeAI ToolsDevice Query

Curl CVE 2023 38545

Query

# CURL High Severity Vulnerability

## Query Information

#### Description
The maintainers of curl have informed us about two vulnerabilities in the software that will be fixed on the 11th of october. CVE-2023-38545 has a high serverity and affects both libcurl and the curl tool. This page can help you identify systems that run curl beforehand, in order for you to take imidiate action if needed. As advised by multiple security organisations your company should create an inventory of all systems that run curl. This can be done by running the following query in Defender For Endpoint.

### Defender For Endpoint
```
// List all devices that have curl installed or use curl.
let ProcessBasedDevices = DeviceProcessEvents
    | where Timestamp > ago(30d)
    | where ProcessCommandLine has "curl"
    | distinct DeviceId, DeviceName;
DeviceTvmSoftwareInventory
| where SoftwareName has "curl"
| join kind=rightouter ProcessBasedDevices on DeviceId
| extend Method = iff(isempty(SoftwareVersion), "Process", "Software Inventory")
| extend CombinedName = iff(isempty(DeviceName), DeviceName1, DeviceName)
| extend CombinedId = iff(isempty(DeviceId), DeviceId1, DeviceId)
| project CombinedId, CombinedName, Method, SoftwareName, SoftwareVersion, SoftwareVendor
// To only list unique devices (evidence is then not included)
//| distinct CombinedId, CombinedName
```

### Defender For Endpoint
```
// List devices that have not been patched yet.
// This query will only show results after MDE has indexed the vulnerable devices, thus no results are expected before the 11th of October.
DeviceTvmSoftwareVulnerabilities
| where CveId in ('CVE-2023-38545', 'CVE-2023-38546')
// If you only want to filer on the High CVE-2023-38545 use:
// | where CveId == 'CVE-2023-38545'
| project DeviceId, DeviceName, SoftwareName, SoftwareVersion, SoftwareVendor
```

#### References
- https://www.rezilion.com/blog/cve-2023-38545-a-high-severity-curl-and-libcurl-cve-to-be-published-on-october-11th/
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/05/curl-8-4-0-proactively-identifying-potential-vulnerable-assets
- https://www.docker.com/blog/security-advisory-high-severity-curl-vulnerability/

Explanation

The query is used to identify systems that have the curl software installed or use curl. It retrieves information about the devices, including their ID, name, method of detection (either through software inventory or process-based), software name, version, and vendor. Another query is used to list devices that have not been patched for the high severity vulnerabilities CVE-2023-38545 and CVE-2023-38546. This query retrieves information about the device ID, name, software name, version, and vendor.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 9, 2023

Tables

DeviceProcessEventsDeviceTvmSoftwareInventory

Keywords

Devices,Intune,User

Operators

|letwheredistinctjoinextendiffisemptyproject

Actions