Critical Vulnerabilities in Splunk Enterprise Enable Remote Code Execution

Pietro Melillo : 3 July 2024 18:17

Splunk, a leading provider of software for searching, monitoring, and analyzing machine-generated big data, has released urgent security updates for its flagship product, Splunk Enterprise. These updates address multiple critical vulnerabilities that pose significant security risks, including the potential for remote code execution (RCE). The affected versions include 9.0.x, 9.1.x, and 9.2.x, and the vulnerabilities were identified by both internal and external security researchers.

Key Vulnerabilities Addressed

The critical vulnerabilities patched in these updates are as follows:

1. CVE-2024-36984: This vulnerability involves arbitrary code execution through serialized session payloads. Attackers could exploit this flaw to execute arbitrary commands on the server by manipulating session data.
2. CVE-2024-36985: This RCE vulnerability is related to an external lookup in the splunk_archiver application. Attackers leveraging this vulnerability can execute code remotely, potentially gaining control over the affected systems.
3. CVE-2024-36991: Details of this critical issue have not been disclosed, but it has been categorized as a significant security risk warranting immediate attention.
4. CVE-2024-36983: Command injection through external lookups is another severe vulnerability. By injecting commands into lookup fields, attackers can execute arbitrary commands, leading to potential system compromise.
5. CVE-2024-36982: This issue involves a null pointer reference that can cause daemon crashes. While it may not lead to direct code execution, it can disrupt service availability and potentially be leveraged in denial-of-service attacks.

Additional Vulnerabilities

In addition to the aforementioned critical issues, several Cross-Site Scripting (XSS) vulnerabilities have been addressed. XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, or other malicious activities.

Mitigation and Recommendations

Iscriviti GRATIS alla RHC Conference 2025 (Venerdì 9 maggio 2025)

Il giorno Venerdì 9 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terrà la RHC Conference 2025. Si tratta dell’appuntamento annuale gratuito, creato dalla community di RHC, per far accrescere l’interesse verso le tecnologie digitali, l’innovazione digitale e la consapevolezza del rischio informatico.

La giornata inizierà alle 9:30 (con accoglienza dalle 9:00) e sarà interamente dedicata alla RHC Conference, un evento di spicco nel campo della sicurezza informatica. Il programma prevede un panel con ospiti istituzionali che si terrà all’inizio della conferenza. Successivamente, numerosi interventi di esperti nazionali nel campo della sicurezza informatica si susseguiranno sul palco fino alle ore 19:00 circa, quando termineranno le sessioni. Prima del termine della conferenza, ci sarà la premiazione dei vincitori della Capture The Flag prevista per le ore 18:00.
Potete iscrivervi gratuitamente all'evento utilizzando questo link.

Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765

Supporta RHC attraverso:

• L'acquisto del fumetto sul Cybersecurity Awareness
• Ascoltando i nostri Podcast
• Seguendo RHC su WhatsApp
• Seguendo RHC su Telegram
• Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

Splunk has released patches to mitigate these vulnerabilities. Users running affected versions of Splunk Enterprise are strongly urged to upgrade to the following versions:

• 9.0.10
• 9.1.5
• 9.2.2

These versions contain the necessary fixes to protect systems against the identified vulnerabilities. The prompt application of these updates is crucial for maintaining the security and integrity of Splunk environments.

For users of the Splunk Cloud Platform, updates are being applied automatically, and continuous monitoring is in place to ensure the security of cloud instances.

Importance of Timely Updates

The release of these updates underscores the importance of timely patching in maintaining a secure IT environment. Given the nature of the vulnerabilities, particularly those allowing remote code execution, the potential impact of exploitation could be severe, ranging from unauthorized data access to full system compromise.

Organizations relying on Splunk Enterprise for critical data analysis and monitoring should prioritize these updates in their security protocols. In addition to applying the patches, it is advisable to review security configurations, audit system logs for unusual activities, and ensure that regular security assessments are conducted.

Conclusion

The discovery and mitigation of these critical vulnerabilities in Splunk Enterprise highlight the ongoing challenges in securing complex software systems. As threats evolve, proactive measures, including prompt patching and continuous monitoring, are essential in safeguarding against potential exploits. Splunk’s swift response in addressing these issues serves as a reminder of the critical role that timely security updates play in protecting organizational assets and data integrity.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"