Command Injection using External Lookups

Advisory ID: SVD-2024-0703

CVE ID: CVE-2024-36983

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 8.0, High

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-77

Bug ID: VULN-15560

Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.

The vulnerability revolves around the currently-deprecated ”runshellscript” command that scripted alert actions use. This command, along with external command lookups, lets an authenticated user use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2External Lookups9.2.0 to 9.2.19.2.2
Splunk Enterprise9.1External Lookups9.1.0 to 9.1.49.1.5
Splunk Enterprise9.0External Lookups9.0.0 to 9.0.99.0.10
Splunk Cloud Platform9.1.2312External Lookups9.1.2312.100 to 9.1.2312.1089.1.2312.109
Splunk Cloud Platform9.1.2308External LookupsBelow 9.1.2308.2079.1.2308.207

Mitigations and Workarounds

None

Detections

Severity

Splunk rates this vulnerability as 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HH.

Acknowledgments

Danylo Dmytriiev (DDV_UA)