Adrian Johnson
TLDR:
- A PoC exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, affecting versions below 9.2.2, 9.1.5, and 9.0.10 on Windows systems.
- The vulnerability allows unauthorized access to sensitive files on the system by exploiting a flaw in the Python os.path.join function.
A proof-of-concept (PoC) exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, identified as CVE-2024-36991. This vulnerability affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, specifically on Windows systems. The vulnerability arises from a flaw in the Python os.path.join function improperly handles path tokens by removing the drive letter if it matches the drive in the built path. This flaw allows an attacker to perform a path traversal attack on the endpoint, potentially enabling unauthorized access to sensitive files on the system. The issue is confined to instances of Splunk Enterprise running on Windows with Splunk Web-enabled.
Exploit Information
The PoC exploit for CVE-2024-36991, developed by security researcher Danylo Dmytriiev, demonstrates how an attacker can leverage this vulnerability to read the passwd file on a Splunk Enterprise server. The exploit script requires Python 3.6 or higher, and the requests library. It can target a single URL or scan multiple targets listed in a file.
Mitigation and Recommendations
To protect against this vulnerability, it is recommended to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, or 9.0.10 or higher. As an additional precaution, administrators can disable Splunk Web if it is not required. Instructions for disabling Splunk Web can be found in the web.conf configuration specification file. The vulnerability has been rated with high severity, carrying a CVSSv3 score of 7.5. It poses a significant risk, allowing remote, unauthenticated attackers to read sensitive information from arbitrary files on the affected systems. Given the potential for information disclosure, administrators must apply the recommended updates and mitigations promptly. Organizations using Splunk Enterprise on Windows should prioritize upgrading to the latest versions and consider disabling unnecessary components to mitigate the risk of exploitation.
