Splunk has recently issued a security advisory aimed at addressing multiple vulnerabilities within its Splunk Enterprise software. The advisory categorizes these Splunk vulnerabilities into three main classifications based on their Common Vulnerability Scoring System (CVSS) base scores, highlighting two critical high-risk issues, eight medium-risk vulnerabilities, and one low-risk vulnerability.
The advisory details a total of eleven vulnerabilities associated with various CVE IDs, including CVE-2024-45731 through CVE-2024-45741. Among these, two vulnerabilities are marked as high severity, indicating a critical risk to users. The remaining vulnerabilities fall into the medium and low categories, reflecting a range of potential threats that organizations using Splunk need to address urgently.
Splunk has confirmed that patches are available for all identified vulnerabilities and has urged users to implement these updates promptly to mitigate any associated risks. This guidance is crucial, as neglecting to apply these patches could expose organizations to significant threats, including unauthorized access and potential data breaches.
Overview of Splunk Vulnerabilities
One of the most pressing concerns highlighted in the advisory is CVE-2024-45731, which addresses a critical remote code execution vulnerability. This high-severity vulnerability carries a CVSS score of 8.0 and affects versions of Splunk Enterprise for Windows below 9.3.1, 9.2.3, and 9.1.6. A low-privileged attacker can exploit this vulnerability by writing a file to the Windows system root directory if Splunk is installed on a separate drive, potentially allowing the attacker to load a malicious DLL and execute code remotely. Users are advised to avoid installing Splunk on a separate disk to mitigate this risk.
Another notable vulnerability, CVE-2024-45733, also poses a significant threat, with a CVSS score of 6.5. This vulnerability affects Splunk Enterprise for Windows in versions below 9.2.3 and 9.1.6, allowing for remote code execution due to insecure session storage configurations. Organizations are encouraged to disable Splunk Web on indexers in distributed environments where logins are unnecessary to prevent exploitation.
Additionally, CVE-2024-45734 and CVE-2024-45735 both score 4.3 and present medium-risk vulnerabilities. CVE-2024-45734 can be exploited through the PDF export feature, enabling users to view local images from the machine running Splunk. Users are advised to disable Splunk Web to mitigate this risk. Meanwhile, CVE-2024-45735 allows low-privileged users to access sensitive deployment configurations within the Splunk Secure Gateway App. Users should disable this app if it is not needed or ensure that proper security settings are in place.
CVE-2024-45736, scoring 6.5, involves uncontrolled resource consumption, which could cause the Splunk daemon to crash if a crafted search query is executed. Organizations are recommended to implement monitoring solutions to detect unusual search query behaviors that may indicate an exploitation attempt.
Among the low-severity vulnerabilities, CVE-2024-45737, with a score of 3.5, allows an attacker to exploit cross-site request forgery (CSRF) to alter the maintenance mode state of the App Key Value Store. Again, turning off Splunk Web may serve as a temporary workaround for this risk.
Finally, CVE-2024-45738 and CVE-2024-45739, both scoring 4.9, pose medium risks by potentially exposing sensitive HTTP parameters and plaintext passwords due to overly verbose logging configurations. Users should adjust logging levels and ensure sensitive logs are removed from internal indexes to mitigate these Splunk vulnerabilities.
Conclusion
In response to vulnerabilities in Splunk, organizations should adopt key practices such as regularly updating software with the latest vendor patches, developing comprehensive security strategies, isolating critical assets using firewalls and access controls, maintaining up-to-date incident response plans, implementing robust monitoring tools, and proactively assessing systems for necessary upgrades. These measures are crucial to safeguard against risks like unauthorized access and data breaches, ensuring that users of Splunk Enterprise remain vigilant and secure.