Splunk Enterprise is one of the many applications Splunk offers for security and monitoring purposes.
It allows organizations to search, analyze and visualize data which can help to respond to incidents in a better way.
However, at the beginning of this month, Splunk released a security advisory for a high-severity vulnerability.
Given the CVE ID as CVE-2024-36991, the vulnerability was associated with Path Traversal on the “/modules/messaging/” endpoint in Splunk Enterprise on Windows. The severity for this vulnerability was given as 7.5 (High) and affected Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10.
This vulnerability exists due to the os.path.join python function which removes the drive letter from path tokens if the drive in the token matches the drive in the build path.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Further, this vulnerability can be exploited by a threat actor to traverse the file system and access files or directories outside of the restricted directory.
Splunk Vulnerability Exploited Via GET Commands
According to the reports, more than 230,000 internet-exposed servers running Splunk are vulnerable to this flaw.
To provide a deeper insight, the os.path.join() python function takes multiple path components as arguments and combines them together into a single path.
It also ensures that the correct path separator is used based on the operating system.
os.path.join function (Source: SonicWall)
As a matter of fact, Windows uses a current directory concept in which C: Source dir means “source dir” inside the current C: directory.
However, as per the os.path.join documentation, the drive is not reset on Windows when a rooted path segment like d’foo’ is provided.
“On Windows, the drive is not reset when a rooted path segment (e.g., r’foo’) is encountered. If a segment is on a different drive or is an absolute path, all previous segments are ignored and the drive is reset.
Note that since there is a current directory for each drive, os.path.join(“c:”, “foo”) represents a path relative to the current directory on drive C: (c:foo), not c:foo” reads the os.path.join documentation.
Nevertheless, an attacker can exploit this vulnerability by performing a directory listing on the Splunk endpoint, which will allow the threat actor to gain unauthorized access to sensitive files in the system.
This vulnerability is prevalent on instances running on Splunk Enterprise where Splunk Web is enabled.
In order to exploit this vulnerability, a crafted GET request can be sent, which will cause the Splunk Enterprise instance to read arbitrary files on the operating system, reads the SonicWall report.
The below commands are examples of Arbitrary file read
CVE-2024-36991 Proof of concept (Source: SonicWall)
Furthermore, a GitHub exploit code has been published along with a proof-of-concept. However, as a prerequisite, an attacker must be able to access the vulnerable instances remotely or through a local network.
Affected Products And Fixed In Versions
ProductVersionComponentAffected VersionFix VersionSplunk Enterprise9.2Splunk Web9.2.0 to 9.2.19.2.2Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.49.1.5Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.99.0.10
It is recommended that users of the above Splunk Enterprise versions upgrade to the latest versions to prevent threat actors from exploiting this vulnerability.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
