Git Critical Vulnerability CVE 2024 32002
Query
// Git Critical Vulnerability CVE-2024-32002
// https://www.linkedin.com/posts/activity-7197478049729110016-TGar/
// Git is a widely-popular distributed version control system for collaborative software development. Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002).
// Privilege Role Admin with vulnerable Git:
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-32002"
| where DeviceName has_any (CriticalDevices)
// MITRE ATT&CK Mapping
// The KQL query is designed to identify critical identities and devices, and then find devices with a specific vulnerability. The associated MITRE ATT&CK techniques include:
// T1078: Valid Accounts
// T1078.001: Valid Accounts: Local Accounts
// T1078.003: Valid Accounts: Local Administrator Account
// T1190: Exploit Public-Facing Application
// T1210: Exploitation of Remote ServicesExplanation
This KQL query is designed to identify potential security risks related to a critical Git vulnerability (CVE-2024-32002) that allows remote code execution when cloning repositories with submodules. Here's a simple breakdown of what the query does:
-
Identify Critical Identities: The query first looks for identities (users or accounts) that have a criticality level below 4, indicating they are important but potentially vulnerable. These identities are stored in a list called
CriticalIdentities. -
Identify Critical Devices: Next, it finds devices that these critical identities can authenticate to, specifically checking if the identity has local admin rights on those devices. These devices are stored in a list called
CriticalDevices. -
Find Vulnerable Devices: Finally, the query checks for devices from the
CriticalDeviceslist that have the specific Git vulnerability (CVE-2024-32002).
The query also maps these findings to relevant MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. The techniques include:
- T1078: Valid Accounts
- T1078.001: Local Accounts
- T1078.003: Local Administrator Account
- T1190: Exploit Public-Facing Application
- T1210: Exploitation of Remote Services
In summary, this query helps identify critical users and devices that might be at risk due to a specific Git vulnerability, and it aligns these findings with known cyber threat techniques for better understanding and response.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators