Critical Vulnerabilities in Splunk Enterprise Enable Remote Code Execution

Pietro Melillo : 3 July 2024 18:17

Splunk, a leading provider of software for searching, monitoring, and analyzing machine-generated big data, has released urgent security updates for its flagship product, Splunk Enterprise. These updates address multiple critical vulnerabilities that pose significant security risks, including the potential for remote code execution (RCE). The affected versions include 9.0.x, 9.1.x, and 9.2.x, and the vulnerabilities were identified by both internal and external security researchers.

Key Vulnerabilities Addressed

The critical vulnerabilities patched in these updates are as follows:

1. CVE-2024-36984: This vulnerability involves arbitrary code execution through serialized session payloads. Attackers could exploit this flaw to execute arbitrary commands on the server by manipulating session data.
2. CVE-2024-36985: This RCE vulnerability is related to an external lookup in the splunk_archiver application. Attackers leveraging this vulnerability can execute code remotely, potentially gaining control over the affected systems.
3. CVE-2024-36991: Details of this critical issue have not been disclosed, but it has been categorized as a significant security risk warranting immediate attention.
4. CVE-2024-36983: Command injection through external lookups is another severe vulnerability. By injecting commands into lookup fields, attackers can execute arbitrary commands, leading to potential system compromise.
5. CVE-2024-36982: This issue involves a null pointer reference that can cause daemon crashes. While it may not lead to direct code execution, it can disrupt service availability and potentially be leveraged in denial-of-service attacks.

Additional Vulnerabilities

In addition to the aforementioned critical issues, several Cross-Site Scripting (XSS) vulnerabilities have been addressed. XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, or other malicious activities.

Mitigation and Recommendations

Vuoi diventare un esperto del Dark Web e della Cyber Threat Intelligence (CTI)?
Stiamo per avviare il corso intermedio in modalità "Live Class", previsto per febbraio.
A differenza dei corsi in e-learning, disponibili online sulla nostra piattaforma con lezioni pre-registrate, i corsi in Live Class offrono un’esperienza formativa interattiva e coinvolgente.
Condotti dal professor Pietro Melillo, le lezioni si svolgono online in tempo reale, permettendo ai partecipanti di interagire direttamente con il docente e approfondire i contenuti in modo personalizzato. Questi corsi, ideali per aziende, consentono di sviluppare competenze mirate, affrontare casi pratici e personalizzare il percorso formativo in base alle esigenze specifiche del team, garantendo un apprendimento efficace e immediatamente applicabile.
Non perdere i nostri corsi e scrivi subito su WhatsApp al numero
379 163 8765  per richiedere informazioni "

Supporta RHC attraverso:

• L'acquisto del fumetto sul Cybersecurity Awareness
• Ascoltando i nostri Podcast
• Seguendo RHC su WhatsApp
• Seguendo RHC su Telegram
• Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

Splunk has released patches to mitigate these vulnerabilities. Users running affected versions of Splunk Enterprise are strongly urged to upgrade to the following versions:

• 9.0.10
• 9.1.5
• 9.2.2

These versions contain the necessary fixes to protect systems against the identified vulnerabilities. The prompt application of these updates is crucial for maintaining the security and integrity of Splunk environments.

For users of the Splunk Cloud Platform, updates are being applied automatically, and continuous monitoring is in place to ensure the security of cloud instances.

Importance of Timely Updates

The release of these updates underscores the importance of timely patching in maintaining a secure IT environment. Given the nature of the vulnerabilities, particularly those allowing remote code execution, the potential impact of exploitation could be severe, ranging from unauthorized data access to full system compromise.

Organizations relying on Splunk Enterprise for critical data analysis and monitoring should prioritize these updates in their security protocols. In addition to applying the patches, it is advisable to review security configurations, audit system logs for unusual activities, and ensure that regular security assessments are conducted.

Conclusion

The discovery and mitigation of these critical vulnerabilities in Splunk Enterprise highlight the ongoing challenges in securing complex software systems. As threats evolve, proactive measures, including prompt patching and continuous monitoring, are essential in safeguarding against potential exploits. Splunk’s swift response in addressing these issues serves as a reminder of the critical role that timely security updates play in protecting organizational assets and data integrity.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"