Splunk Patches Critical Vulnerabilities, Including Remote Code Execution Flaws

Splunk Enterprise - CVE-2024-45731 and CVE-2024-45733

Splunk, a leading platform for data analytics and security monitoring, has released a slew of security updates to address multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These vulnerabilities range in severity, with some enabling remote code execution (RCE) and others allowing low-privileged users to access sensitive information.

Critical RCE Vulnerabilities Demand Immediate Attention

Among the most serious vulnerabilities are CVE-2024-45731 and CVE-2024-45733, both of which could allow attackers to execute code on vulnerable systems remotely. CVE-2024-45731 specifically impacts Windows installations where Splunk Enterprise is installed on a separate disk. Exploiting this flaw, an attacker could write a malicious DLL file to the Windows system root directory, potentially leading to complete system compromise. CVE-2024-45733 stems from insecure session storage configuration and affects Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6.

Low-Privilege Users Pose Significant Threat

Several vulnerabilities grant low-privileged users unauthorized access and capabilities. CVE-2024-45732 allows these users to run searches as the “nobody” user within the SplunkDeploymentServerConfig app, potentially exposing restricted data. Other vulnerabilities enable low-privileged users to:

  • View images on the host machine (CVE-2024-45734)
  • Access sensitive configuration data in the Splunk Secure Gateway App (CVE-2024-45735)
  • Crash the Splunk daemon (CVE-2024-45736)
  • Manipulate the maintenance mode state of App Key Value Store (CVE-2024-45737)

Information Disclosure and Cross-Site Scripting (XSS) Vulnerabilities Also Addressed

In addition to RCE and privilege escalation flaws, Splunk patched vulnerabilities that could lead to sensitive information disclosure (CVE-2024-45738 and CVE-2024-45739) and persistent cross-site scripting (CVE-2024-45740 and CVE-2024-45741). These vulnerabilities could be exploited to leak sensitive data or inject malicious scripts into web pages viewed by other users.

Splunk Urges Users to Update Immediately

Splunk has released updates to address these vulnerabilities and strongly advises all users to upgrade to the latest Splunk Enterprise and Splunk Cloud Platform versions. The company also provides mitigation and workaround strategies for those who cannot immediately update.

Please refer to the Splunk Security Advisory page for a complete list of affected versions and detailed information on each vulnerability.

Related Posts: