Splunk is a software platform designed to search, analyze, and visualize machine-generated data from various sources, including websites, applications, sensors, and devices.
In 2024, Splunk was acquired by Cisco, which aims to leverage Splunk’s capabilities to enhance digital resilience across its customer base.
Splunk has released security updates to address multiple critical vulnerabilities in Splunk Enterprise that could allow attackers to execute arbitrary code remotely.
The flaws discovered by both internal and external security researchers affect Splunk Enterprise versions 9.0.x, 9.1.x, and 9.2.x.
The company urges users to update their systems immediately to mitigate potential risks.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
Among the most severe issues patched are:
- CVE-2024-36984: This vulnerability allows an authenticated user to execute arbitrary code through serialized session payloads. The exploit involves using the collect SPL command to write a file within the Splunk Enterprise installation, which can then be used to submit a serialized payload, leading to code execution. This flaw affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows.
- CVE-2024-36985: A low-privileged user can cause remote code execution through an external lookup that references the splunk_archiver application. The vulnerability stems from a script called copybuckets.py within the application, which references another script (erp_launcher.py) that executes a bash shell with arguments supplied by the user, leading to potential RCE. This affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10.
- CVE-2024-36991: Details about this specific CVE were not explicitly found in the advisory, but it is part of the critical vulnerabilities patched in the latest update.
- CVE-2024-36983: This vulnerability involves command injection using external lookups. An authenticated user can create an external lookup that calls a deprecated internal function, allowing code injection and execution within the Splunk platform instance. This affects versions below 9.2.2, 9.1.5, and 9.0.10.
- CVE-2024-36982: This flaw allows an attacker to trigger a null pointer reference on the cluster/config REST endpoint, resulting in a crash of the Splunk daemon. This affects versions below 9.2.2, 9.1.5, and 9.0.10.
Additionally, several cross-site scripting (XSS) vulnerabilities were addressed that could allow attackers to execute malicious JavaScript in users’ browsers.
The recent updates from Splunk, which were rolled out on Monday, also target medium-severity vulnerabilities that impact both the Enterprise and Cloud Platform products.
Splunk strongly recommends users upgrade to the latest patched versions:
- 9.0.10 or later
- 9.1.5 or later
- 9.2.2 or later
The company noted that Splunk Cloud Platform instances are also being patched and monitored.
These vulnerabilities highlight the importance of promptly applying security updates, especially for critical enterprise software like Splunk, which often processes sensitive data. Organizations using affected versions of Splunk Enterprise should prioritize upgrading to mitigate the risk of exploitation.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files