Overview

Splunk has recently issued an advisory detailing multiple vulnerabilities discovered in its Splunk Enterprise software. The advisory categorize vulnerabilities into three primary classifications based on their CVSS base scores. In total, there are two vulnerabilities classified as High, with a risk score deemed Critical. The Medium category includes eight vulnerabilities, while there is one vulnerability classified as Low.

The advisory identifies several CVE IDs associated with these vulnerabilities, specifically: CVE-2024-45731, CVE-2024-45732, CVE-2024-45733, CVE-2024-45734, CVE-2024-45735, CVE-2024-45736, CVE-2024-45737, CVE-2024-45738, CVE-2024-45739, CVE-2024-45740, and CVE-2024-45741. Importantly, Splunk has confirmed that patches are available for all identified vulnerabilities, urging users to implement them promptly to mitigate potential risks.

Detailed Vulnerability Analysis

CVE-2024-45731 addresses a critical remote code execution vulnerability, receiving a CVSS score of 8.0, classified as high. This vulnerability affects Splunk Enterprise for Windows in versions below 9.3.1, 9.2.3, and 9.1.6. A low-privileged attacker can exploit this vulnerability by writing a file to the Windows system root directory if Splunk is installed on a separate drive. This action could allow the attacker to load a malicious DLL, leading to remote code execution. To mitigate this risk, users should ensure that Splunk is not installed on a separate disk.

CVE-2024-45732 is categorized as a medium vulnerability, with a CVSS score of 6.5. It impacts various versions below 9.3.1 for both Splunk Enterprise and Splunk Cloud Platform. In this case, a low-privileged user may run searches as the “nobody” Splunk user, potentially gaining access to restricted data. Users are advised to modify the local.meta file to restrict write access and can consider disabling Splunk Web as a workaround.

Another medium vulnerability, CVE-2024-45733, also scores 6.5 and affects Splunk Enterprise for Windows in versions below 9.2.3 and 9.1.6. This vulnerability allows for remote code execution due to insecure session storage configurations. To address this issue, users should disable Splunk Web on indexers in distributed environments where logins are not necessary.

CVE-2024-45734 is classified as medium, with a CVSS score of 4.3, and affects versions of Splunk Enterprise below 9.2.3 and 9.1.6. This vulnerability can be exploited through the PDF export feature, enabling users to view local images from the machine running Splunk Enterprise. Turning off Splunk Web may serve as a mitigation strategy for this risk.

Another instance of improper access control, CVE-2024-45735, also has a CVSS score of 4.3 and affects various versions below 9.2.3 and 9.1.6, including Splunk Secure Gateway versions. This vulnerability allows a low-privileged user to view deployment configurations and keys within the Splunk Secure Gateway App. Users can mitigate this risk by disabling the app if it is not needed or by ensuring proper security settings are in place.

CVE-2024-45736, which scores 6.5 and falls into the medium category, involves uncontrolled resource consumption. This vulnerability can cause the Splunk daemon to crash if a crafted search query is executed. Organizations are advised to implement monitoring and alerting on search query behaviors to identify potential exploit attempts.

CVE-2024-45737 is a low-severity vulnerability, scoring 3.5, affecting various versions below 9.3.1 and 9.2.3. An attacker could exploit this vulnerability through cross-site request forgery (CSRF) to change the maintenance mode state of the App Key Value Store. Turning off Splunk Web may serve as a potential workaround.

Two vulnerabilities, CVE-2024-45738 and CVE-2024-45739, both classified as medium with a CVSS score of 4.9, affect various versions below 9.3.1, 9.2.3, and 9.1.6. These vulnerabilities could expose sensitive HTTP parameters and plaintext passwords due to verbose logging configurations. Users are recommended to adjust logging levels and remove sensitive logs from the internal index to mitigate these risks.

Lastly, CVE-2024-45740 and CVE-2024-45741, both scoring 5.4 and categorized as medium vulnerabilities, affect various versions below 9.2.3 and 9.1.6. These vulnerabilities can be exploited to execute unauthorized JavaScript in user browsers. Disabling Splunk Web can help mitigate these risks.

Recommendations for Organizations

1. Regularly update all software systems with the latest vendor patches to mitigate vulnerabilities.
2. Develop a comprehensive strategy that includes inventory management, assessment, testing, and verification of patches.
3. Isolate critical assets from less secure areas using firewalls, VLANs, and access controls to limit exposure.
4. Maintain an up-to-date incident response plan to effectively address security incidents as they arise.
5. Implement robust monitoring solutions to detect and analyze suspicious activities across the network.
6. Proactively assess critical systems for potential upgrades or replacements to avoid risks associated with outdated software.

Conclusion

Splunk Enterprise and its associated cloud platform are essential tools for organizations focused on advanced log management and security analytics. However, the recent disclosure of multiple vulnerabilities highlights the critical importance of maintaining software updates and installing security patches. 

Organizations that neglect to apply these patches may find themselves exposed to risks, including unauthorized access and data breaches. Thus, users need to stay vigilant and proactive in implementing the recommended mitigations and updates.

Related