Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to execute remote code.

These vulnerabilities, primarily affecting Windows installations, highlight the critical need for organizations to update and secure their systems promptly.

Overview of the Security Advisories

Splunk, a leading provider of data analytics and monitoring solutions, has released a series of security advisories detailing vulnerabilities in its Splunk Enterprise product.

These advisories are part of Splunk’s ongoing commitment to transparency and security, providing users with essential information to protect their systems. 

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

The vulnerabilities were disclosed on October 14, 2024, and have been categorized as high severity due to their potential impact on system integrity and security.

Splunk recommends that all users subscribe to their mailing list and RSS feed for timely updates on security advisories.

Detailed Vulnerability Breakdown

The table below summarizes the key vulnerabilities identified in Splunk Enterprise:

Advisory ID	Description	Severity	CVE ID
SVD-2024-1003	Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on Windows	High	CVE-2024-45733
SVD-2024-1002	Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app	High	CVE-2024-45732
SVD-2024-1001	Potential RCE through arbitrary file write to Windows system root directory when installed on separate disk	High	CVE-2024-45731
SVD-2024-0711	Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows	High	CVE-2024-36991
SVD-2024-0705	RCE through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application	High	CVE-2024-36985
SVD-2024-0704	RCE through Serialized Session Payload in Splunk Enterprise on Windows	High	CVE-2024-36984
SVD-2024-0703	Command Injection using External Lookups	High	CVE-2024-36983
SVD-2024-0702	Denial of Service through null pointer reference in “cluster/config” REST endpoint	High	CVE-2024-36982
SVD-2024-0302	Risky command safeguards bypass in Dashboard Examples Hub	High	CVE-2024-29946
SVD-2024-0301	Splunk Authentication Token Exposure in Debug Log	High	CVE-2024-29945
SVD-2024-0111	Sensitive Information Disclosure to Internal Log Files	High	CVE-2023-46230
SVD-2024-0110	Session Token Disclosure to Internal Log Files	High	CVE-2023-46231
SVD-2024-0108	Deserialization of Untrusted Data through Path Traversal from Separate Disk Partition	High	CVE-2024-23678

The disclosed vulnerabilities primarily affect Windows installations of Splunk Enterprise, where insecure configurations and potential code execution paths pose significant risks.

Attackers exploiting these vulnerabilities could gain unauthorized access, execute arbitrary code, or disrupt services, leading to potential data breaches or system outages. 

Organizations using Splunk Enterprise are urged to apply the necessary patches and updates provided by Splunk.

Furthermore, reviewing system configurations and implementing best security practices can mitigate these risks.

Recommendations for Users

Splunk advises users to:

1. Update Systems: Apply the latest patches and updates immediately.
2. Monitor Security Advisories: Subscribe to Splunk’s mailing list and RSS feed for timely notifications.
3. Review Configurations: Ensure that system configurations adhere to security best practices.
4. Engage with Support: For additional information or unresolved issues, visit the Splunk Support Portal.

By taking these proactive steps, organizations can better protect their systems against potential exploits targeting these vulnerabilities.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)