Splunk patches multiple severe flaws, some with PoC exploits

Splunk has released a comprehensive set of security updates to address 16 vulnerabilities across its Splunk Enterprise and Cloud Platform. These updates include several high-severity issues that can be exploited if the server is accessible on the internet:

Update - as of 15th of July 2024, SonicWall warns that the Splunk Enterprise vulnerability CVE-2024-36991 is more severe than initially thought and can be exploited via a simple GET request, potentially exposing sensitive files. Users are advised to update their Splunk installations immediately or disable Splunk Web, as proof-of-concept code has been released and over 220,000 servers are potentially at risk.

High Severity Vulnerabilities

1. CVE-2024-36991 (CVSS score 7.5): Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows. This flaw has a published PoC exploit so it will be used in automated attacks very soon.
2. CVE-2024-36985 (CVSS score 8.8): Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise. Upgrade to the latest Splunk versions or temporarily disable the affected "splunk_archiver" application.
3. CVE-2024-36984 (CVSS score 8.8): Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows
4. CVE-2024-36983 (CVSS score 8.0): Command Injection using External Lookups
5. CVE-2024-36982 (CVSS score 7.5): Denial of Service through null pointer reference in “cluster/config” REST endpoint

Medium Severity Vulnerabilities

1. CVE-2024-36997: Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint
2. CVE-2024-36996: Information Disclosure of user names
3. CVE-2024-36995: Low-privileged user could create experimental items
4. CVE-2024-36994: Persistent Cross-site Scripting (XSS) in Dashboard Elements
5. CVE-2024-36993: Persistent Cross-site Scripting (XSS) in Web Bulletin
6. CVE-2024-36992: Persistent Cross-site Scripting (XSS) in Dashboard Elements
7. CVE-2024-36990: Denial of Service (DoS) on the datamodel/web REST endpoint
8. CVE-2024-36989: Low-privileged user could create notifications in Splunk Web Bulletin Messages
9. CVE-2024-36987: Insecure File Upload in the indexing/preview REST endpoint
10. CVE-2024-36986: Risky command safeguards bypass through Search ID query in Analytics Workspace

Affected Versions by these flaws are versions prior to 9.0.10, 9.1.5, and 9.2.2. Splunk has advised users to update their installations to the latest versions, and as a mitigating measures disable the "splunk_archiver" application and isolate the management interfaces from the Internet.