New Splunk Enterprise PoC Exploit: Local File Inclusion Vulnerability disclosed

July 10, 2024
1 min read

TLDR:

  • A PoC exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, affecting versions below 9.2.2, 9.1.5, and 9.0.10 on Windows systems.
  • The vulnerability allows unauthorized access to sensitive files on the system by exploiting a flaw in the Python os.path.join function.

A proof-of-concept (PoC) exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, identified as CVE-2024-36991. This vulnerability affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, specifically on Windows systems. The vulnerability arises from a flaw in the Python os.path.join function improperly handles path tokens by removing the drive letter if it matches the drive in the built path. This flaw allows an attacker to perform a path traversal attack on the endpoint, potentially enabling unauthorized access to sensitive files on the system. The issue is confined to instances of Splunk Enterprise running on Windows with Splunk Web-enabled.

Exploit Information

The PoC exploit for CVE-2024-36991, developed by security researcher Danylo Dmytriiev, demonstrates how an attacker can leverage this vulnerability to read the passwd file on a Splunk Enterprise server. The exploit script requires Python 3.6 or higher, and the requests library. It can target a single URL or scan multiple targets listed in a file.

Mitigation and Recommendations

To protect against this vulnerability, it is recommended to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, or 9.0.10 or higher. As an additional precaution, administrators can disable Splunk Web if it is not required. Instructions for disabling Splunk Web can be found in the web.conf configuration specification file. The vulnerability has been rated with high severity, carrying a CVSSv3 score of 7.5. It poses a significant risk, allowing remote, unauthenticated attackers to read sensitive information from arbitrary files on the affected systems. Given the potential for information disclosure, administrators must apply the recommended updates and mitigations promptly. Organizations using Splunk Enterprise on Windows should prioritize upgrading to the latest versions and consider disabling unnecessary components to mitigate the risk of exploitation.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and