{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-111.pdf"
    },
    "title": "Multiple Vulnerabilities in Splunk Enterprise and Splunk Cloud",
    "serial_number": "2024-111",
    "publish_date": "16-10-2024 07:37:06",
    "description": "On October 14, 2024, Splunk released several advisories addressing multiple high and medium severity vulnerabilities affecting Splunk Enterprise and Splunk Cloud. These vulnerabilities could lead to arbitrary file write to Windows system root directory, access to potentially restricted data and remote code execution.<br>\n",
    "url_title": "2024-111",
    "content_markdown": "---    \ntitle: 'Multiple Vulnerabilities in\u00a0Splunk\u00a0Enterprise and\u00a0Splunk\u00a0Cloud'\nnumber: '2024-111'\nversion: '1.0'\noriginal_date: '2024-10-16'\ndate: '2024-10-16'\n---\n\n_History:_\n\n* _16/10/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn October 14, 2024, Splunk released several advisories addressing multiple high and medium severity vulnerabilities affecting Splunk Enterprise and Splunk Cloud. These vulnerabilities could lead to arbitrary file write to Windows system root directory, access to potentially restricted data and remote code execution [1,2].\n\n# Technical Details\n\nThe vulnerability **CVE-2024-45733**, with a CVSS score of 8.8, could allow a low-privileged user that does not hold the \u201cadmin\u201d or \u201cpower\u201d Splunk roles to perform a Remote Code Execution (RCE) due to an insecure session storage configuration.\n\nThe vulnerability **CVE-2024-45731**, with a CVSS score of 8.0, could allow a low-privileged user that does not hold the \u201cadmin\u201d or \u201cpower\u201d Splunk roles to write a file to the Windows system root directory, which has a default location in the Windows `System32` folder, when Splunk Enterprise for Windows is installed on a separate drive. The user could potentially write a malicious DLL which, if loaded, could result in a remote execution of the code within that DLL.\n\nThe vulnerability **CVE-2024-45732**, with a CVSS score of 7.1, could allow a low-privileged user that does not hold the \u201cadmin\u201d or \u201cpower\u201d Splunk roles to run a search as the \u201cnobody\u201d Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data.\n\nPlease refer to https://advisory.splunk.com/ for the complete list of vulnerabilities.\n\n# Affected Products\n\n- The vulnerability **CVE-2024-45733** affects the Splunk Web component of Splunk Enterprise for Windows versions 9.2.0 to 9.2.2, and 9.1.0 to 9.1.5.\n- The vulnerability **CVE-2024-45731** affects the Splunk Web component of Splunk Enterprise for Windows versions 9.3.0, 9.2.0 to 9.2.2, and 9.1.0 to 9.1.5 if the Splunk Enterprise instance is installed on a separate disk.\n- The vulnerability **CVE-2024-45732** affects the SplunkDeploymentServerConfig component Splunk for Cloud Platform, and Splunk Enterprise versions 9.2.0 to 9.2.2, and 9.3.0.\n\n# Recommendations\n\nIt is recommended updating affected assets as soon as possible, prioritising Internet facing devices.\n\nIt is also recommended:\n\n- disabling the Splunk Web component on indexers in distributed environments;\n- restricting write access to knowledge objects within Splunk apps by modifying the local.meta file in the `$SPLUNK_HOME/etc/apps/SplunkDeploymentServerConfig/metadata` directory as follows:\n\n```\n    []\n    access = read : [ * ], write : [ admin ]\n```\n\n# References\n\n[1] <https://advisory.splunk.com/>\n\n[2] <https://cybersecuritynews.com/splunk-vulnerabilities-remote-code/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>16/10/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On October 14, 2024, Splunk released several advisories addressing multiple high and medium severity vulnerabilities affecting Splunk Enterprise and Splunk Cloud. These vulnerabilities could lead to arbitrary file write to Windows system root directory, access to potentially restricted data and remote code execution [1,2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-45733</strong>, with a CVSS score of 8.8, could allow a low-privileged user that does not hold the \u201cadmin\u201d or \u201cpower\u201d Splunk roles to perform a Remote Code Execution (RCE) due to an insecure session storage configuration.</p><p>The vulnerability <strong>CVE-2024-45731</strong>, with a CVSS score of 8.0, could allow a low-privileged user that does not hold the \u201cadmin\u201d or \u201cpower\u201d Splunk roles to write a file to the Windows system root directory, which has a default location in the Windows <code>System32</code> folder, when Splunk Enterprise for Windows is installed on a separate drive. The user could potentially write a malicious DLL which, if loaded, could result in a remote execution of the code within that DLL.</p><p>The vulnerability <strong>CVE-2024-45732</strong>, with a CVSS score of 7.1, could allow a low-privileged user that does not hold the \u201cadmin\u201d or \u201cpower\u201d Splunk roles to run a search as the \u201cnobody\u201d Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data.</p><p>Please refer to https://advisory.splunk.com/ for the complete list of vulnerabilities.</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>The vulnerability <strong>CVE-2024-45733</strong> affects the Splunk Web component of Splunk Enterprise for Windows versions 9.2.0 to 9.2.2, and 9.1.0 to 9.1.5.</li><li>The vulnerability <strong>CVE-2024-45731</strong> affects the Splunk Web component of Splunk Enterprise for Windows versions 9.3.0, 9.2.0 to 9.2.2, and 9.1.0 to 9.1.5 if the Splunk Enterprise instance is installed on a separate disk.</li><li>The vulnerability <strong>CVE-2024-45732</strong> affects the SplunkDeploymentServerConfig component Splunk for Cloud Platform, and Splunk Enterprise versions 9.2.0 to 9.2.2, and 9.3.0.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating affected assets as soon as possible, prioritising Internet facing devices.</p><p>It is also recommended:</p><ul><li>disabling the Splunk Web component on indexers in distributed environments;</li><li>restricting write access to knowledge objects within Splunk apps by modifying the local.meta file in the <code>$SPLUNK_HOME/etc/apps/SplunkDeploymentServerConfig/metadata</code> directory as follows:</li></ul><pre><code>[]\n    access = read : [ * ], write : [ admin ]\n</code></pre><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://advisory.splunk.com/\">https://advisory.splunk.com/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cybersecuritynews.com/splunk-vulnerabilities-remote-code/\">https://cybersecuritynews.com/splunk-vulnerabilities-remote-code/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}