Black Arrow Cyber Advisory 23 July 2024 – Splunk Path Traversal Vulnerability

Executive summary

Organisations using Splunk Enterprise on Windows are advised to apply patches for a high severity vulnerability (CVE-2024-36991) as more than 230,000 internet exposed servers have been identified with this flaw. The vulnerability, which has had a proof of concept released, allows an attacker to performing a directory listing on the Splunk endpoint, which will allow the threat actor to gain unauthorised access to sensitive files in the system.

What’s the risk to me or my business?

While there are currently no reports of this vulnerability being exploited in the wild, there have been several proof of concept (PoC) exploits including one that performs bulk scanning for vulnerable internet-facing endpoints. If the Splunk instance has Splunk Web turned on, an attacker successfully exploiting the vulnerability can gain unauthorised access to sensitive files in the system.

What can I do?

Splunk has released a patch for the affected products which should be applied as soon as possible. The affected products are; Splunk Enterprise versions 9.2, 9.1, and 9.0 on Windows. It is advised to upgrade to 9.2.2, 9.1.5, and 9.0.10, or higher.

Technical Summary

CVE-2024-36991 – This exploit uses a crafted GET request which takes advantage of a vulnerability associated with Path traversal on the “/modules/messaging/” endpoint on Splunk Enterprise for Windows. The vulnerability exists because the Python “os.path.join” function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.

Further information on the Splunk vulnerability can be found here:

https://advisory.splunk.com/advisories/SVD-2024-0711

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity