What are the most severe vulnerabilities addressed in the recent Splunk Enterprise patches?

The two most severe vulnerabilities addressed are CVE-2024-45733 (CVSS score 8.8) and CVE-2024-45731 (CVSS score 8.0), both of which allow for remote code execution (RCE) on Windows systems. CVE-2024-45733 involves insecure session storage configuration, allowing non-admin users to execute code remotely. CVE-2024-45731 is an arbitrary file write defect, which allows a non-admin user to write a malicious DLL to the system root directory, potentially leading to RCE.

Which versions of Splunk are affected by CVE-2024-45733 and CVE-2024-45731?

Both vulnerabilities impact Splunk Enterprise versions running on Windows systems. CVE-2024-45733 affects Splunk Enterprise instances with Splunk Web enabled and is patched in versions 9.2.3 and 9.1.6. CVE-2024-45731 impacts Splunk Enterprise installations on separate drives from the Windows installation and has been patched in versions 9.3.1, 9.2.3, and 9.1.6.

What is the impact of CVE-2024-45732?

CVE-2024-45732 (CVSS score 7.2) is an information disclosure flaw that allows low-privileged users to run searches as the 'nobody' role, potentially accessing restricted data. It affects both Splunk Enterprise and Splunk Cloud Platform and has been patched in Splunk Enterprise 9.3.1 and 9.2.3, as well as in Splunk Cloud Platform versions 9.2.2403.103, 9.1.2312.110, and other specific releases.

Which versions of Splunk contain fixes for these vulnerabilities?

Splunk Enterprise versions 9.2.3, 9.1.6, and 9.3.1 contain patches for the critical vulnerabilities. The Splunk Cloud Platform has also received updates in specific versions, including 9.2.2403.103 and 9.1.2312.110.

What actions should users take to protect their systems from these vulnerabilities?

Users are strongly advised to update their Splunk Enterprise or Splunk Cloud Platform installations to the latest versions immediately. Splunk has also provided detection tools to help identify potential exploit attempts related to these vulnerabilities.

Advisory

Splunk releases patches for Enterprise product to fix multiple flaws, one near-critical

Q: What other vulnerabilities were fixed in the Splunk update?

The update also addressed eight medium-severity flaws, including issues leading to JavaScript code execution, plaintext password exposure, unauthorized system changes, Splunk daemon crashes, and exposure of sensitive data like public/private keys. Fixes for several third-party package vulnerabilities were also included.

published: Oct. 15, 2024

Take action: If you are running Splunk Enterprise, review the advisory for the specific vulnerability scenarios. Ideally, patch your Splunk Enterprise regardless, but you can estimate how urgent your patch is with the descibed flaws. Most of these flaws requre user credentials but they can be obtained through phishing and malware given enough time.

Learn More

Splunk has released patches addressing 11 vulnerabilities in Splunk Enterprise, two of which allow for remote code execution (RCE) on Windows systems.

The most severe vulnerabilities include:

CVE-2024-45733 (CVSS score 8.8) - Insecure session storage configuration. This flaw allows users without ‘admin’ or ‘power’ roles to remotely execute code on affected instances. It only impacts Splunk Enterprise instances running on Windows with Splunk Web enabled and has been patched in Splunk Enterprise versions 9.2.3 and 9.1.6.
CVE-2024-45731 (CVSS score 8.0) - Arbitrary file write defect leading to remote code execution. A user without ‘admin’ or ‘power’ roles could write a file, such as a malicious DLL, to the Windows system root directory (typically located in System32). If this DLL is loaded, it could lead to RCE. It only affects Windows systems where Splunk Enterprise is installed on a separate drive. Systems with Splunk installed on the same disk as the Windows installation are not affected. It's fixed in Splunk Enterprise version 9.3.1, with patches also in 9.2.3 and 9.1.6.
CVE-2024-45732 (CVSS score 7.2) - Information disclosure flaw. A low-privileged user can run searches as the 'nobody' role and potentially access restricted data. Impacts both Splunk Enterprise and Splunk Cloud Platform. Patched in Splunk Enterprise 9.3.1 and 9.2.3, and Splunk Cloud Platform versions 9.2.2403.103, 9.1.2312.110, 9.1.2312.200, and 9.1.2308.208.

Additionally, eight medium-severity flaws were fixed that could lead to JavaScript code execution, plaintext password exposure, unauthorized system changes, Splunk daemon crashes, and exposure of sensitive data like public/private keys. Fixes for several third-party package vulnerabilities are included in the latest updates.

Affected Versions and Patches:

Splunk Enterprise versions 9.2.3, 9.1.6, and 9.3.1 contain fixes for these vulnerabilities.
Splunk Cloud Platform also received patches in specific versions (e.g., 9.2.2403.103, 9.1.2312.110).

Splunk has also provided detection tools to help identify potential exploit attempts related to these vulnerabilities. Users are advised to update their systems to the latest versions immediately to mitigate risks.

Splunk releases patches for Enterprise product to fix multiple flaws, one near-critical

Read More
Cacti Network Monitoring Tool fixes multiple vulnerabilities, two …
Cleo patches another actively exploited flaw
SAP issues October 2023 advisories for their products
Mitel reports critical path traversal flaw in Mitel …
Trimble and CISA report active exploitation of their …