Risky command safeguards bypass through Search ID query in Analytics Workspace

Advisory ID: SVD-2024-0706

CVE ID: CVE-2024-36986

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 6.3, Medium

CWE: CWE-200

Bug ID: VULN-10317

Description

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, an authenticated user could run risky commands using the permissions of a higher-privileged user to bypass SPL safeguards for risky commands in the Analytics Workspace.

The vulnerability requires the authenticated user to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2Splunk Web9.2.0 to 9.2.19.2.2
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.49.1.5
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.99.0.10
Splunk Cloud Platform9.1.2312Splunk WebBelow 9.1.2312.2009.1.2312.200
Splunk Cloud Platform9.1.2308Splunk WebBelow 9.1.2308.2079.1.2308.207

Mitigations and Workarounds

The vulnerability likely affects instances with the Analytics Workspace enabled. Turning off the Analytics Workplace application is a possible workaround. For more information on managing apps, see Manage app and add-on objects.

The vulnerability likely affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

Detections

Severity

Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N.

If the Splunk Enterprise instance does not run Splunk Web or disabled Analytics Workplace, there should be no impact and the severity would be informational.

Acknowledgments

Anton (therceman)