Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app
Advisory ID: SVD-2024-1002
CVE ID: CVE-2024-45732
Published: 2024-10-14
Last Update: 2024-10-14
CVSSv3.1 Score: 7.1, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-862
Bug ID: VULN-14891
Description
In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the “admin” or “power” Splunk roles could run a search as the “nobody” Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data.
Solution
Upgrade Splunk Enterprise to versions 9.3.1, 9.2.3 or higher. Splunk Enterprise 9.1 versions and below are not affected.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | SplunkDeploymentServerConfig | 9.3.0 | 9.3.1 |
| Splunk Enterprise | 9.2 | SplunkDeploymentServerConfig | 9.2.0 to 9.2.2 | 9.2.3 |
| Splunk Cloud Platform | 9.2.2403 | SplunkDeploymentServerConfig | 9.2.2403.102 to 9.2.2403.102 | 9.2.2403.103 |
| Splunk Cloud Platform | 9.1.2312 | SplunkDeploymentServerConfig | 9.1.2312.100 to 9.1.2312.109 | 9.1.2312.110, 9.1.2312.200 |
| Splunk Cloud Platform | 9.1.2308 | SplunkDeploymentServerConfig | Below 9.1.2308.207 | 9.1.2308.208 |
Mitigations and Workarounds
You can modify the local.meta file in the $SPLUNK_HOME/etc/apps/SplunkDeploymentServerConfig/metadata directory to restrict write access to knowledge objects within Splunk apps.
Use the following metadata settings in each file to restrict access:
[]
access = read : [ * ], write : [ admin ]
To apply the same restrictions to other apps by default, you may add the same configuration to the local.meta file in the $SPLUNK_HOME/etc/apps/<app name>/metadata directory.
The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability as a 7.1, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N.
If the local.meta file in the app directory has the proper metadata settings, there should be no impact and the severity would be Informational.
If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.
Acknowledgments
Anton (therceman)