Command Injection using External Lookups
Advisory ID: SVD-2024-0703
CVE ID: CVE-2024-36983
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 8.0, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-77
Bug ID: VULN-15560
DescriptionPermalink
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.
The vulnerability revolves around the currently-deprecated ”runshellscript” command that scripted alert actions use. This command, along with external command lookups, lets an authenticated user use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.
SolutionPermalink
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Splunk is performing upgrades on Splunk Cloud Platform instances as part of Emergency Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.
Product StatusPermalink
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 9.2 | External Lookups | 9.2.0 to 9.2.1 | 9.2.2 |
Splunk Enterprise | 9.1 | External Lookups | 9.1.0 to 9.1.4 | 9.1.5 |
Splunk Enterprise | 9.0 | External Lookups | 9.0.0 to 9.0.9 | 9.0.10 |
Splunk Cloud Platform | 9.1.2312 | External Lookups | 9.1.2312.100 to 9.1.2312.108 | 9.1.2312.109 |
Splunk Cloud Platform | 9.1.2308 | External Lookups | Below 9.1.2308.207 | 9.1.2308.207 |
Mitigations and WorkaroundsPermalink
None
DetectionsPermalink
SeverityPermalink
Splunk rates this vulnerability as 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HH.
AcknowledgmentsPermalink
Danylo Dmytriiev (DDV_UA)