Query Details

Git Critical Vulnerability CVE 2024 32002

Query

// Git Critical Vulnerability CVE-2024-32002
// https://www.linkedin.com/posts/activity-7197478049729110016-TGar/

// Git is a widely-popular distributed version control system for collaborative software development. Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002).

// Privilege Role Admin with vulnerable Git:

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-32002"
| where DeviceName has_any (CriticalDevices)

// MITRE ATT&CK Mapping

// The KQL query is designed to identify critical identities and devices, and then find devices with a specific vulnerability. The associated MITRE ATT&CK techniques include:

// T1078: Valid Accounts
// T1078.001: Valid Accounts: Local Accounts
// T1078.003: Valid Accounts: Local Administrator Account
// T1190: Exploit Public-Facing Application
// T1210: Exploitation of Remote Services

Explanation

This KQL query is designed to identify potential security risks related to a critical Git vulnerability (CVE-2024-32002) that allows remote code execution when cloning repositories with submodules. Here's a simple breakdown of what the query does:

  1. Identify Critical Identities: The query first looks for identities (users or accounts) that have a criticality level below 4, indicating they are important but potentially vulnerable. These identities are stored in a list called CriticalIdentities.

  2. Identify Critical Devices: Next, it finds devices that these critical identities can authenticate to, specifically checking if the identity has local admin rights on those devices. These devices are stored in a list called CriticalDevices.

  3. Find Vulnerable Devices: Finally, the query checks for devices from the CriticalDevices list that have the specific Git vulnerability (CVE-2024-32002).

The query also maps these findings to relevant MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. The techniques include:

  • T1078: Valid Accounts
  • T1078.001: Local Accounts
  • T1078.003: Local Administrator Account
  • T1190: Exploit Public-Facing Application
  • T1210: Exploitation of Remote Services

In summary, this query helps identify critical users and devices that might be at risk due to a specific Git vulnerability, and it aligns these findings with known cyber threat techniques for better understanding and response.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilitiesCategoriesNodePropertiesEdgePropertiesCriticalIdentitiesCriticalDevicesNodeNameDeviceNameCveId

Operators

letset_has_elementwhereisnotnulland<distinctjoinon==extendtostringhas_any

Actions

GitHub