Critical Splunk Vulnerability CVE-2024-36991: Patch Now to Prevent Arbitrary File Reads

A critical path traversal vulnerability (CVE-2024-36991) affects Splunk Enterprise, enabling arbitrary file reads via a crafted request to the Splunk Web endpoint. Patch guidance and mitigations are provided, including upgrade recommendations and workarounds for affected deployments.
#CVE-2024-36991 #Splunk #PathTraversal #SplunkWeb

Keypoints

  • The flaw is identified as CVE-2024-36991 with a CVSSv3 score of 7.5 and is categorized under CWE-35 (Path/Directory Traversal).
  • Affected Splunk Enterprise versions are those below 9.2.2, 9.1.5 and 9.0.10.
  • Attack can be performed by a remote attacker via a crafted GET request to the vulnerable /modules/messaging/ endpoint with Splunk Web enabled.
  • The vulnerability allows directory listing and potential access to sensitive files outside the restricted directory due to os.path.join behavior in Python.
  • A PoC demonstrating the exploit is publicly available on GitHub: https://github.com/bigb0x/CVE-2024-36991.
  • <liSplunk has released a patch and administrators are urged to upgrade; workarounds include turning off Splunk Web or disabling unnecessary web components in web.conf.

    <liSonicWall IPS signatures (e.g., IPS: 4469) have been released to detect/mitigate exploitation attempts.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – A crafted GET request to a vulnerable Splunk instance with Splunk Web enabled is necessary and sufficient to exploit the issue. β€œA crafted GET request to a vulnerable Splunk instance with Splunk Web enabled is necessary and sufficient to exploit the issue.”
  • [T1083] File and Directory Discovery – The CVE-2024-36991 flaw leverages the os.path.join function allowing an attacker to perform a directory listing on the Splunk endpoint, potentially enabling unauthorized access to sensitive files on the system. β€œThe CVE-2024-36991 flaw leverages the os.path.join function allowing an attacker to perform a directory listing on the Splunk endpoint, potentially enabling unauthorized access to sensitive files on the system.”

Indicators of Compromise

  • [URL] PoC and advisory resources – https://github.com/bigb0x/CVE-2024-36991, https://advisory.splunk.com/advisories/SVD-2024-0711
  • [URL] Vulnerable endpoint/path referenced – /modules/messaging/

Read more: https://blog.sonicwall.com/en-us/2024-07/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-reads/