Splunk Enterprise Under Attack: 12 Critical Vulnerabilities Exposed

Splunk, a leader in data analytics and monitoring, has disclosed 12 new vulnerabilities in its Splunk Enterprise product for Windows, enabling remote code execution (RCE) by malicious actors.

On October 14, 2024, the company released a series of security advisories detailing the identified issues. All were classified as highly critical, given their potential to severely compromise the integrity and security of vulnerable systems.

Among the vulnerabilities discovered in Splunk Enterprise:

• SVD-2024-1012 — vulnerabilities in third-party packages.
• CVE-2024-45731 — arbitrary command execution through file writes to the root directory of the Windows system if Splunk is installed on a separate drive.
• CVE-2024-45732 — low-privilege users can execute search queries in the SplunkDeploymentServerConfig application.
• CVE-2024-45733 — remote code execution (RCE) due to improper session storage configuration in Splunk Enterprise on Windows.
• CVE-2024-45734 — viewing images on the host machine via the PDF export feature in Splunk Classic Dashboard by low-privilege users.
• CVE-2024-45735 — insufficient access control for low-privilege users in the Splunk Secure Gateway application.
• CVE-2024-45736 — Splunk Daemon crash caused by a malformed “INGEST_EVAL” parameter.
• CVE-2024-45737 — alteration of the maintenance mode state of the App Key Value Store through a cross-site request forgery (CSRF) attack.
• CVE-2024-45738 — leakage of confidential information through logs in the REST_Calls logging channel.
• CVE-2024-45739 — exposure of sensitive information through logs in the AdminManager logging channel.
• CVE-2024-45740 — cross-site scripting (XSS) vulnerability via scheduled views in Splunk Enterprise.
• CVE-2024-45741 — cross-site scripting (XSS) vulnerability via the props.conf configuration file in Splunk Enterprise.

These vulnerabilities present opportunities for attackers to gain unauthorized access, execute arbitrary commands, or disrupt service operations, potentially leading to data breaches or system failures.

Splunk strongly urges users to promptly patch their installations to address these vulnerabilities. The recommended versions to install are 9.3.0, 9.2.3, or 9.1.6, depending on the version of Splunk Enterprise in use.

In addition, some vulnerabilities affect other Splunk products, including Splunk Cloud Platform (CVE-2024-45732, CVE-2024-45736, CVE-2024-45737, CVE-2024-45740, CVE-2024-45741) and Splunk Secure Gateway (CVE-2024-45735). Users are advised to review the latest secure versions of these products separately.

Along with installing updates, organizations using Splunk products should reassess their security configurations to mitigate the risk of vulnerability exploitation. Splunk’s support team is available for further assistance or guidance on resolving any issues.