New vulnerabilities have been discovered affecting older versions of Splunk Enterprise, a popular platform for data analysis, monitoring, and security operations. These vulnerabilities, if exploited, can allow low-privileged users to gain unauthorized access or even execute malicious code.
Overview
Splunk has released patches for 11 vulnerabilities in Splunk Enterprise, including three high-severity issues that allow low-privileged users to escalate their capabilities and perform remote code execution (RCE). The vulnerabilities were discovered during a routine security audit.
Note: Only instances running Splunk Enterprise on Windows are affected.
Breakdown of vulnerabilities:
1. CVE-2024-45733 (High Severity)
- Impact: This vulnerability allows a low-privileged user to perform Remote Code Execution (RCE) due to an insecure session storage configuration. If exploited, attackers could execute arbitrary code remotely, leading to system compromise.
- Affected Versions: Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6.
- CVSS v3 Score: 8.8 (High)
- Recommendation: Update immediately to Splunk Enterprise version 9.2.3 or higher to mitigate this risk.
- More details here.
2. CVE-2024-45732 (High Severity)
- Impact: A low-privileged user can run searches as the ‘nobody’ Splunk role via the SplunkDeploymentServerConfig app, potentially exposing restricted data. This flaw in data access control could lead to serious information disclosure, particularly if sensitive logs or configurations are exposed.
- Affected Versions: Splunk Enterprise versions below 9.3.1, and Splunk Cloud Platform versions below 9.2.2403.103.
- CVSS v3 Score: 7.1 (High)
- Recommendation: Update to Splunk Enterprise version 9.3.1 and ensure Splunk Cloud versions are also updated to the latest available versions.
- More details here.
3. CVE-2024-45731 (High Severity)
- Impact: This vulnerability allows a low-privileged user to write files to the Windows System32 folder, a critical directory. When Splunk Enterprise is installed on a separate drive, this flaw can be exploited to write malicious files, including DLLs, which could lead to Remote Code Execution (RCE) when loaded.
- Affected Versions: Splunk Enterprise for Windows versions below 9.3.1, 9.2.3, and 9.1.6.
- CVSS v3 Score: 8.0 (High)
- Recommendation: Upgrade to Splunk Enterprise version 9.3.1 or higher to prevent exploitation.
- More details here.
Recommended Actions:
- Patch all affected systems to the latest available versions to close these security gaps. Splunk has released the necessary patches in versions 9.3.1 and 9.2.3 for Windows and Cloud environments.
- Strengthen user role management to limit the ability of low-privileged users to exploit vulnerabilities. Review access privileges and make sure users do not have unnecessary access.
Manual intervention is required to apply these patches. Splunk does not automatically deploy security fixes, meaning system administrators must take immediate action to implement the necessary updates.
Risk Landscape:
With attackers increasingly seeking out high-value targets within enterprise systems, vulnerabilities like these in core infrastructure represent significant attack vectors.
While no exploitation has been observed in the wild, the public disclosure of these vulnerabilities increases the risk of threat actors targeting organizations that have not yet applied the updates.
