Critical Vulnerabilities in Splunk Enterprise Enable Remote Code Execution

Pietro Melillo : 3 July 2024 18:17

Splunk, a leading provider of software for searching, monitoring, and analyzing machine-generated big data, has released urgent security updates for its flagship product, Splunk Enterprise. These updates address multiple critical vulnerabilities that pose significant security risks, including the potential for remote code execution (RCE). The affected versions include 9.0.x, 9.1.x, and 9.2.x, and the vulnerabilities were identified by both internal and external security researchers.

Key Vulnerabilities Addressed

The critical vulnerabilities patched in these updates are as follows:

1. CVE-2024-36984: This vulnerability involves arbitrary code execution through serialized session payloads. Attackers could exploit this flaw to execute arbitrary commands on the server by manipulating session data.
2. CVE-2024-36985: This RCE vulnerability is related to an external lookup in the splunk_archiver application. Attackers leveraging this vulnerability can execute code remotely, potentially gaining control over the affected systems.
3. CVE-2024-36991: Details of this critical issue have not been disclosed, but it has been categorized as a significant security risk warranting immediate attention.
4. CVE-2024-36983: Command injection through external lookups is another severe vulnerability. By injecting commands into lookup fields, attackers can execute arbitrary commands, leading to potential system compromise.
5. CVE-2024-36982: This issue involves a null pointer reference that can cause daemon crashes. While it may not lead to direct code execution, it can disrupt service availability and potentially be leveraged in denial-of-service attacks.

Additional Vulnerabilities

In addition to the aforementioned critical issues, several Cross-Site Scripting (XSS) vulnerabilities have been addressed. XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, or other malicious activities.

Mitigation and Recommendations

Acquista il corso Dark Web & Cyber Threat Intelligence (e-learning version)
Il Dark Web e la Cyber Threat Intelligence rappresentano aree critiche per comprendere le minacce informatiche moderne. Tra ransomware, data breach e attività illecite, le organizzazioni devono affrontare sfide sempre più complesse per proteggere i propri dati e le infrastrutture. Il nostro corso “Dark Web & Cyber Threat Intelligence” ti guiderà attraverso i meccanismi e le strategie utilizzate dai criminali informatici, fornendoti competenze pratiche per monitorare, analizzare e anticipare le minacce.

Accedi alla pagina del corso condotto dall'Prof. Pietro Melillo sulla nostra Academy e segui l'anteprima gratuita.

Per un periodo limitato, potrai utilizzare il COUPON CTI-16253 che ti darà diritto ad uno sconto del 20% sul prezzo di copertina del corso
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765 

Supporta RHC attraverso:

• L'acquisto del fumetto sul Cybersecurity Awareness
• Seguendo RHC su WhatsApp
• Seguendo RHC su Telegram
• Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo

Splunk has released patches to mitigate these vulnerabilities. Users running affected versions of Splunk Enterprise are strongly urged to upgrade to the following versions:

• 9.0.10
• 9.1.5
• 9.2.2

These versions contain the necessary fixes to protect systems against the identified vulnerabilities. The prompt application of these updates is crucial for maintaining the security and integrity of Splunk environments.

For users of the Splunk Cloud Platform, updates are being applied automatically, and continuous monitoring is in place to ensure the security of cloud instances.

Importance of Timely Updates

The release of these updates underscores the importance of timely patching in maintaining a secure IT environment. Given the nature of the vulnerabilities, particularly those allowing remote code execution, the potential impact of exploitation could be severe, ranging from unauthorized data access to full system compromise.

Organizations relying on Splunk Enterprise for critical data analysis and monitoring should prioritize these updates in their security protocols. In addition to applying the patches, it is advisable to review security configurations, audit system logs for unusual activities, and ensure that regular security assessments are conducted.

Conclusion

The discovery and mitigation of these critical vulnerabilities in Splunk Enterprise highlight the ongoing challenges in securing complex software systems. As threats evolve, proactive measures, including prompt patching and continuous monitoring, are essential in safeguarding against potential exploits. Splunk’s swift response in addressing these issues serves as a reminder of the critical role that timely security updates play in protecting organizational assets and data integrity.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"