Risky command safeguards bypass through Search ID query in Analytics Workspace
Advisory ID: SVD-2024-0706
CVE ID: CVE-2024-36986
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 6.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CWE: CWE-200
Bug ID: VULN-10317
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass SPL safeguards for risky commands in the Analytics Workspace.
The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.1 | 9.2.2 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.4 | 9.1.5 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.9 | 9.0.10 |
| Splunk Cloud Platform | 9.1.2312 | Splunk Web | Below 9.1.2312.200 | 9.1.2312.200 |
| Splunk Cloud Platform | 9.1.2308 | Splunk Web | Below 9.1.2308.207 | 9.1.2308.207 |
Mitigations and Workarounds
The vulnerability likely affects instances with the Analytics Workspace enabled. Turning off the Analytics Workplace application is a possible workaround. For more information on managing apps, see Manage app and add-on objects.
The vulnerability likely affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N.
If the Splunk Enterprise instance does not run Splunk Web or disabled Analytics Workplace, there should be no impact and the severity would be informational.
Acknowledgments
Anton (therceman)