Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows
Advisory ID: SVD-2024-0704
CVE ID: CVE-2024-36984
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 8.8, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Bug ID: VULN-15741
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.
The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.1 | 9.2.2 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.4 | 9.1.5 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.9 | 9.0.10 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)