Adrian Johnson
TLDR:
- A critical Splunk vulnerability CVE-2024-36991 was exploited using crafted GET commands.
- The vulnerability allowed threat actors to traverse the file system and access files outside of the restricted directory.
Article Summary:
Splunk Enterprise, a popular application for security and monitoring, was found to have a high-severity vulnerability with CVE ID CVE-2024-36991. This vulnerability was associated with Path Traversal on the “/modules/messaging/” endpoint in Splunk Enterprise on Windows and affected versions below 9.2.2, 9.1.5, and 9.0.10. The vulnerability, rated at 7.5 (High), allowed threat actors to exploit it by using crafted GET requests to read arbitrary files on the operating system.
The os.path.join() python function was identified as the root cause of the vulnerability, where it failed to reset the drive when encountering rooted path segments, enabling unauthorized access to sensitive files on the system. Reports indicated that over 230,000 internet-exposed servers running Splunk were vulnerable to this flaw.
A GitHub exploit code and proof-of-concept were published, showcasing how threat actors could exploit this vulnerability by accessing vulnerable instances remotely or through a local network. To mitigate this risk, users of affected Splunk Enterprise versions were advised to upgrade to the latest versions to prevent exploitation of the vulnerability.
In conclusion, the critical Splunk vulnerability CVE-2024-36991 underscored the importance of timely updates and patches to secure systems against potential cyber threats and unauthorized access.
