A critical path traversal vulnerability (CVE-2024-36991) affects Splunk Enterprise, enabling arbitrary file reads via a crafted request to the Splunk Web endpoint. Patch guidance and mitigations are provided, including upgrade recommendations and workarounds for affected deployments.
#CVE-2024-36991 #Splunk #PathTraversal #SplunkWeb
#CVE-2024-36991 #Splunk #PathTraversal #SplunkWeb
Keypoints
- The flaw is identified as CVE-2024-36991 with a CVSSv3 score of 7.5 and is categorized under CWE-35 (Path/Directory Traversal).
- Affected Splunk Enterprise versions are those below 9.2.2, 9.1.5 and 9.0.10.
- Attack can be performed by a remote attacker via a crafted GET request to the vulnerable /modules/messaging/ endpoint with Splunk Web enabled.
- The vulnerability allows directory listing and potential access to sensitive files outside the restricted directory due to os.path.join behavior in Python.
- A PoC demonstrating the exploit is publicly available on GitHub: https://github.com/bigb0x/CVE-2024-36991.
<liSplunk has released a patch and administrators are urged to upgrade; workarounds include turning off Splunk Web or disabling unnecessary web components in web.conf.
<liSonicWall IPS signatures (e.g., IPS: 4469) have been released to detect/mitigate exploitation attempts.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β A crafted GET request to a vulnerable Splunk instance with Splunk Web enabled is necessary and sufficient to exploit the issue. βA crafted GET request to a vulnerable Splunk instance with Splunk Web enabled is necessary and sufficient to exploit the issue.β
- [T1083] File and Directory Discovery β The CVE-2024-36991 flaw leverages the os.path.join function allowing an attacker to perform a directory listing on the Splunk endpoint, potentially enabling unauthorized access to sensitive files on the system. βThe CVE-2024-36991 flaw leverages the os.path.join function allowing an attacker to perform a directory listing on the Splunk endpoint, potentially enabling unauthorized access to sensitive files on the system.β
Indicators of Compromise
- [URL] PoC and advisory resources β https://github.com/bigb0x/CVE-2024-36991, https://advisory.splunk.com/advisories/SVD-2024-0711
- [URL] Vulnerable endpoint/path referenced β /modules/messaging/