Multiple Splunk Enterprise Vulnerabilities Let Attackers Execute Remote Code

Splunk has released patches for several high-severity vulnerabilities in its Enterprise product that could allow attackers to execute remote code on affected systems. The vulnerabilities impact multiple versions of Splunk Enterprise and Splunk Cloud Platform.

One of the most critical flaws, tracked as CVE-2024-45733, affects Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6.

This vulnerability allows a low-privileged user without admin or power roles to perform remote code execution due to insecure session storage configuration. Splunk has rated this vulnerability as High severity with a CVSS score of 8.8.

Another high-severity vulnerability, CVE-2024-45731, impacts Splunk Enterprise for Windows versions below 9.3.1, 9.2.3, and 9.1.6.

It enables a low-privileged user to write files to the Windows system root directory when Splunk is installed on a separate drive. This could potentially allow the writing of malicious DLLs that, if loaded, could result in remote code execution.

Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free

A third vulnerability, CVE-2024-45732, affects multiple versions of Splunk Enterprise and Splunk Cloud Platform. It allows low-privileged users to run searches as the “nobody” user in the SplunkDeploymentServerConfig app, potentially accessing restricted data.

Splunk has released patches to address these vulnerabilities and recommends users upgrade to the latest versions immediately.

For Splunk Enterprise, users should upgrade to versions 9.3.1, 9.2.3, 9.1.6 or higher depending on their current version. Splunk Cloud Platform instances are being actively monitored and patched by the company.

In addition to the remote code execution flaws, Splunk also patched several vulnerabilities in third-party packages used in the Splunk Add-on for Amazon Web Services. These include high-severity flaws in the idna and certifi packages.

These vulnerabilities primarily impact instances when Splunk Web is enabled. Splunk has released patches to address these issues and strongly recommends users to upgrade to the latest versions:

  • Splunk Enterprise: 9.3.1, 9.2.3, and 9.1.6 or higher
  • Splunk Cloud Platform: 9.2.2403.103, 9.1.2312.200, 9.1.2312.110, and 9.1.2308.208 or higher

For users unable to update immediately, Splunk suggests several mitigations:

  1. Disable Splunk Web on affected systems, especially on indexers in distributed environments.
  2. Modify the local.meta file in the SplunkDeploymentServerConfig app to restrict write access to knowledge objects.
  3. Ensure Splunk Enterprise is not installed on a separate disk from the system drive.

Organizations using affected Splunk products are strongly advised to review the security advisories and apply the necessary updates as soon as possible to mitigate the risk of exploitation.

The discovery of these vulnerabilities highlights the importance of promptly applying security updates, especially for critical infrastructure and security monitoring tools like Splunk. Attackers often target such platforms due to their privileged access to sensitive data and systems across organizations.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)

The post Multiple Splunk Enterprise Vulnerabilities Let Attackers Execute Remote Code appeared first on Cyber Security News.