New Splunk Enterprise PoC Exploit: Local File Inclusion Vulnerability disclosed

July 10, 2024
1 min read

TLDR:

  • A PoC exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, affecting versions below 9.2.2, 9.1.5, and 9.0.10 on Windows systems.
  • The vulnerability allows unauthorized access to sensitive files on the system by exploiting a flaw in the Python os.path.join function.

A proof-of-concept (PoC) exploit has been released for a critical local file inclusion vulnerability in Splunk Enterprise, identified as CVE-2024-36991. This vulnerability affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, specifically on Windows systems. The vulnerability arises from a flaw in the Python os.path.join function improperly handles path tokens by removing the drive letter if it matches the drive in the built path. This flaw allows an attacker to perform a path traversal attack on the endpoint, potentially enabling unauthorized access to sensitive files on the system. The issue is confined to instances of Splunk Enterprise running on Windows with Splunk Web-enabled.

Exploit Information

The PoC exploit for CVE-2024-36991, developed by security researcher Danylo Dmytriiev, demonstrates how an attacker can leverage this vulnerability to read the passwd file on a Splunk Enterprise server. The exploit script requires Python 3.6 or higher, and the requests library. It can target a single URL or scan multiple targets listed in a file.

Mitigation and Recommendations

To protect against this vulnerability, it is recommended to upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, or 9.0.10 or higher. As an additional precaution, administrators can disable Splunk Web if it is not required. Instructions for disabling Splunk Web can be found in the web.conf configuration specification file. The vulnerability has been rated with high severity, carrying a CVSSv3 score of 7.5. It poses a significant risk, allowing remote, unauthenticated attackers to read sensitive information from arbitrary files on the affected systems. Given the potential for information disclosure, administrators must apply the recommended updates and mitigations promptly. Organizations using Splunk Enterprise on Windows should prioritize upgrading to the latest versions and consider disabling unnecessary components to mitigate the risk of exploitation.

Latest from Blog

Trust is the secret sauce for cybersecurity success

TLDR: Key Points: Trust between CISOs and top executives is crucial for justifying cybersecurity investments. Five key questions CISOs must ask themselves about their cybersecurity strategy include budget justification, risk reporting, celebrating

Expert opinion on cyber security is a must have

TLDR: Key points from the article: Study shows link between lack of sleep and increased risk of Alzheimer’s disease. Researchers found that poor sleep quality was associated with higher levels of brain