Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to execute remote code.
These vulnerabilities, primarily affecting Windows installations, highlight the critical need for organizations to update and secure their systems promptly.
Overview of the Security Advisories
Splunk, a leading provider of data analytics and monitoring solutions, has released a series of security advisories detailing vulnerabilities in its Splunk Enterprise product.
These advisories are part of Splunk’s ongoing commitment to transparency and security, providing users with essential information to protect their systems.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The vulnerabilities were disclosed on October 14, 2024, and have been categorized as high severity due to their potential impact on system integrity and security.
Splunk recommends that all users subscribe to their mailing list and RSS feed for timely updates on security advisories.
Detailed Vulnerability Breakdown
The table below summarizes the key vulnerabilities identified in Splunk Enterprise:
| Advisory ID | Description | Severity | CVE ID |
| SVD-2024-1003 | Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on Windows | High | CVE-2024-45733 |
| SVD-2024-1002 | Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app | High | CVE-2024-45732 |
| SVD-2024-1001 | Potential RCE through arbitrary file write to Windows system root directory when installed on separate disk | High | CVE-2024-45731 |
| SVD-2024-0711 | Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows | High | CVE-2024-36991 |
| SVD-2024-0705 | RCE through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application | High | CVE-2024-36985 |
| SVD-2024-0704 | RCE through Serialized Session Payload in Splunk Enterprise on Windows | High | CVE-2024-36984 |
| SVD-2024-0703 | Command Injection using External Lookups | High | CVE-2024-36983 |
| SVD-2024-0702 | Denial of Service through null pointer reference in “cluster/config” REST endpoint | High | CVE-2024-36982 |
| SVD-2024-0302 | Risky command safeguards bypass in Dashboard Examples Hub | High | CVE-2024-29946 |
| SVD-2024-0301 | Splunk Authentication Token Exposure in Debug Log | High | CVE-2024-29945 |
| SVD-2024-0111 | Sensitive Information Disclosure to Internal Log Files | High | CVE-2023-46230 |
| SVD-2024-0110 | Session Token Disclosure to Internal Log Files | High | CVE-2023-46231 |
| SVD-2024-0108 | Deserialization of Untrusted Data through Path Traversal from Separate Disk Partition | High | CVE-2024-23678 |
The disclosed vulnerabilities primarily affect Windows installations of Splunk Enterprise, where insecure configurations and potential code execution paths pose significant risks.
Attackers exploiting these vulnerabilities could gain unauthorized access, execute arbitrary code, or disrupt services, leading to potential data breaches or system outages.
Organizations using Splunk Enterprise are urged to apply the necessary patches and updates provided by Splunk.
Furthermore, reviewing system configurations and implementing best security practices can mitigate these risks.
Recommendations for Users
Splunk advises users to:
- Update Systems: Apply the latest patches and updates immediately.
- Monitor Security Advisories: Subscribe to Splunk’s mailing list and RSS feed for timely notifications.
- Review Configurations: Ensure that system configurations adhere to security best practices.
- Engage with Support: For additional information or unresolved issues, visit the Splunk Support Portal.
By taking these proactive steps, organizations can better protect their systems against potential exploits targeting these vulnerabilities.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)