Query Details

CVE 2024 3094 With CVSS Score 10

Query

//CVE-2024-3094 with CVSS Score 10
//https://www.linkedin.com/posts/activity-7179670729532092416-b5Yb/

//CVE-2024-3094 with CVSS Score 10/10

//Cyber defenders take note there is a supply chain compromise on the popular Linux XZ utils, if you have Linux running on Azure with Microsoft Defender for Cloud (MDC) enabled, run the below interim KQL to check if your Azure Cloud Linux servers are impacted and the latter KQL when Microsoft update their TVM database for this critical CVE.🫡

//Interim KQL:

DeviceTvmSoftwareInventory 
| where SoftwareName contains "xz"
| where SoftwareVersion contains "5.6."

//KQL to use when Microsoft update their TVM database definitions:

DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2024-3094"

//CISA Alert:
//https://lnkd.in/gAkiCfBS

//Red Hat Alert:
//https://lnkd.in/g2BGRGTy

// MITRE ATT&CK Mapping

// T1082 - System Information Discovery: This technique involves gathering information about the system, including software inventory.
// T1518.001 - Software Discovery: This technique involves discovering software installed on the system.
// T1592.002 - Gather Victim Host Information: This technique involves gathering information about vulnerabilities on the host.
// T1587.001 - Develop Capabilities: This technique involves developing exploits for discovered vulnerabilities.
// These mappings help in understanding how the KQL queries align with the MITRE ATT&CK framework, providing insights into potential adversary behaviors and techniques.

Explanation

This query is designed to help cybersecurity professionals identify if their Azure Cloud Linux servers are affected by a critical vulnerability, CVE-2024-3094, which has a maximum severity score of 10. The vulnerability is related to a supply chain compromise in the popular Linux XZ utilities.

  1. Interim Check: The first part of the query checks if any Linux servers have the XZ utility installed with version 5.6. This is a preliminary step to identify potentially vulnerable systems before Microsoft's Threat and Vulnerability Management (TVM) database is updated.

  2. Post-Update Check: Once Microsoft updates their TVM database, the second query can be used to directly check for the presence of the CVE-2024-3094 vulnerability on the servers.

  3. Context and Alerts: The query references alerts from CISA and Red Hat, providing additional context and resources for understanding the vulnerability.

  4. MITRE ATT&CK Framework: The query is mapped to specific techniques in the MITRE ATT&CK framework, which helps in understanding potential adversary behaviors related to system information discovery, software discovery, gathering host information, and developing exploits for vulnerabilities.

Overall, this query is a proactive measure for organizations using Azure with Microsoft Defender for Cloud to ensure their systems are secure against this critical vulnerability.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceTvmSoftwareInventoryDeviceTvmSoftwareVulnerabilities

Keywords

DeviceTvmSoftwareInventoryVersionCveIdSystemInformationDiscoveryGatherVictimHostDevelopCapabilities

Operators

contains==

Actions

GitHub