KQL Search

Query Details

HomeAI ToolsDevice Query

Git Critical Vulnerability CVE 2024 32002

Query

// Git Critical Vulnerability CVE-2024-32002
// https://www.linkedin.com/posts/activity-7197478049729110016-TGar/

// Git is a widely-popular distributed version control system for collaborative software development. Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002).

// Privilege Role Admin with vulnerable Git:

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel < 4 
| distinct NodeName;
let CriticalDevices =
ExposureGraphEdges 
| where EdgeLabel == @"can authenticate to"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| extend DName = tostring(NodeProperties.rawData.deviceName)
| extend isLocalAdmin = EdgeProperties.rawData.userRightsOnDevice.isLocalAdmin
| where SourceNodeName has_any (CriticalIdentities)
| distinct DName;
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-32002"
| where DeviceName has_any (CriticalDevices)

Explanation

This KQL (Kusto Query Language) query is designed to identify devices that are vulnerable to a specific critical Git vulnerability (CVE-2024-32002) and are accessible by privileged identities. Here's a simplified summary of what the query does:

  1. Identify Critical Identities:

    • It looks for identities (users or accounts) in the system that have a criticality level less than 4 (indicating high importance or privilege).
    • It collects the names of these critical identities.

  2. Identify Devices Accessible by Critical Identities:

    • It finds devices that these critical identities can authenticate to.
    • It checks if these identities have local admin rights on these devices.
    • It collects the names of these devices.

  3. Find Vulnerable Devices:

    • It searches for devices that have the specific Git vulnerability (CVE-2024-32002).
    • It filters the results to only include the devices identified in the previous step.

In essence, the query identifies high-privilege identities, determines which devices they can access with admin rights, and then checks if those devices are vulnerable to the specified Git vulnerability.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilitiesIdentity

Operators

letset_has_elementwhereisnotnulland<distinctjoinon==extendtostringhas_any

Actions