The recently fixed vulnerability (CVE-2024-36991) affecting Splunk Enterprise on Windows has been deemed more severe than initially believed by SonicWall’s threat researchers. Several Proof of Concept (PoC) exploits have been made public, including one by IT consultant Mohamed Nabil Ali, which conducts bulk scanning for vulnerable internet-facing endpoints and attempts to read the /etc/passwd file.
Splunk Enterprise, a data analytics and monitoring platform, allows organizations to collect and analyze machine-generated data from various sources like network and security devices, servers, etc. CVE-2024-36991, discovered by Danylo Dmytriiev, is a path traversal vulnerability in Splunk Web, the platform’s user interface. This vulnerability enables attackers to traverse the file system to access files or directories outside the restricted directory (/modules/messaging/).
According to SonicWall’s researchers, the vulnerability stems from the Python os.path.join function, which eliminates the drive letter from path tokens if the drive in the token matches the drive in the built path. Exploitation of CVE-2024-36991 can be done with a specially crafted GET request, allowing an attacker to perform a directory listing on the Splunk endpoint without prior authentication.
SonicWall’s researchers highlighted that an attacker only needs remote access to the instance, whether through the Internet or a local network, to exploit the vulnerability. CVE-2024-36991 affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, as long as the Splunk Web component is active.
Despite Splunk’s prevalence in development environments, with up to 230k exposed servers running Splunk according to Fofa, administrators are urged to promptly implement the patch to mitigate the risk of exploitation. Disabling Splunk Web eliminates the vulnerability’s threat, though upgrading to a patched version is the recommended course of action.
In response to the CVE-2024-36991 threat, Splunk’s Threat Research team has provided a search query to detect any exploitation attempts against the /modules/messaging endpoint. This proactive approach can help organizations identify and thwart potential attacks exploiting the vulnerability.
Overall, the severity of the CVE-2024-36991 vulnerability in Splunk Enterprise underscores the importance of prompt patching and risk mitigation strategies. By staying informed and proactive in addressing security vulnerabilities, organizations can enhance their cybersecurity posture and protect their sensitive data from malicious actors.