Splunk Vulnerabilities Discovered

By Joshua Bourns on May 3, 2024

Executive Summary

Recently, two vulnerabilities affecting Splunk Enterprise were discovered. Splunk is a popular software platform for data ingestion, indexing, and analysis: CVE-2024-29946 and CVE-2024-29945. CVE-2024-29946 allows attackers to bypass safeguards for risky commands within the Splunk Dashboard Studio app, potentially leading to unauthorized access or data manipulation. CVE-2024-29945 details a separate vulnerability within the Search Processing Language (SPL) compiler that could enable attackers to remotely execute arbitrary code. Both vulnerabilities require user interaction for exploitation, emphasizing the importance of user awareness and applying security updates promptly.

Background

Splunk Enterprise is a widely used software platform for collecting, analyzing, and visualizing machine-generated data from various sources. It offers functionalities like security information and event management (SIEM) and operational intelligence. These vulnerabilities impact Splunk Enterprise versions below specific thresholds and could pose a significant risk to organizations relying on Splunk for data security.

Technical Details

Two critical vulnerabilities have been identified in Splunk Enterprise, a software platform for data analysis. Let’s delve into the technical details of each vulnerability and how they can be exploited.

CVE-2024-29946: Risky Command Bypass in Splunk Dashboard Studio

This vulnerability resides within the Splunk Dashboard Studio app, a feature that provides pre-built dashboards for users. The issue stems from inadequate validation of Search Processing Language (SPL) commands within these dashboards. SPL is a query language used to search and analyze data in Splunk. An attacker could exploit this by crafting a malicious SPL query and embedding it within a seemingly legitimate dashboard. A user tricked into initiating this dashboard through their browser could unknowingly trigger the malicious SPL query. Since these queries bypass safeguards meant to prevent risky commands, an attacker could potentially gain unauthorized access to sensitive data or even compromise the entire Splunk system (Splunk, 2024).

CVE-2024-29945: Remote Code Execution via SPL Compiler

The specifics of CVE-2024-29945 are being withheld to prevent attackers from developing exploits (Splunk, 2024). However, it is believed to be a flaw within the SPL compiler, the software component responsible for processing SPL queries. A malicious actor could potentially craft a specially designed SPL query that exploits this vulnerability. Such a query could inject arbitrary code directly onto the Splunk server, allowing the attacker to remotely execute code and potentially gain full control over the system. This could lead to devastating consequences, including deploying malware, stealing data, or launching further attacks within the network.

 

Mitigation

Upgrading Splunk Enterprise to patched versions is the most critical step to mitigate these vulnerabilities. Splunk has released patches to address CVE-2024-29946. Upgrading to Splunk Enterprise versions 9.2.1, 9.1.4, or 9.0.9 or higher is recommended. Specific versions addressing CVE-2024-29945 have not yet been disclosed, but staying updated with the latest Splunk releases is essential.

In addition to updating software, organizations should implement security best practices for Splunk. This includes following the principle of least privilege, which restricts user access to only the data and functionalities they require for their job roles. Additionally, educating users on potential phishing attempts and the importance of caution when interacting with dashboards or SPL queries is crucial. By understanding these vulnerabilities and taking the necessary steps to mitigate them, organizations can significantly reduce their risk of a Splunk security breach.

 

Conclusion

These vulnerabilities in Splunk Enterprise highlight the critical need for robust security practices and keeping software updated. Upgrading Splunk to patched versions is essential to mitigate these risks. Organizations should also prioritize user awareness training and implement security best practices to minimize the attack surface.

References

[1] NIST, “CVE-2024-29945 Detail. NVD,” Mar. 27, 2024 https://nvd.nist.gov/vuln/detail/CVE-2024-29945

[2] NIST, “CVE-2024-29946 Detail. NVD,” Mar. 27, 2024 https://nvd.nist.gov/vuln/detail/CVE-2024-29946 

[3] Splunk, “Risky command safeguards bypass in Dashboard Examples Hub [Security Advisory],” Mar. 27, 2024 https://advisory.splunk.com/advisories/SVD-2024-0302