Critical Splunk flaw can be exploited to grab passwords (CVE-2024-36991)
A recently fixed vulnerability (CVE-2024-36991) affecting Splunk Enterprise on Windows “is more severe than it initially appeared,” according to SonicWall’s threat researchers.
Several PoC exploits have been published, including one by IT consultant Mohamed Nabil Ali that performs bulk scanning for vulnerable internet-facing endpoints and attempts to read the /etc/passwd file.
About CVE-2024-36991
Splunk Enterprise is a data analytics and monitoring platform that allows organization to collect and analyze machine-generated data from a variety of sources, such as network and security devices, servers, etc.
CVE-2024-36991, discovered by Danylo Dmytriiev, is a path traversal vulnerability in Splunk Web, the platform’s user interface, and allows attackers to traverse the file system to access files or directories outside the restricted directory (/modules/messaging/).
“The vulnerability exists because of the Python os.path.join function that removes the drive letter from path tokens if the drive in the token matches the drive in the built path,” SonicWall’s researchers explained.
It can be exploited with a specially crafted GET request, and allows an attacker to perform a directory listing on the Splunk endpoint. Successful exploitation does not require prior authentication.
“An attacker only needs to be able to access the instance remotely, which could be over the Internet or a local network,” they added.
Mitigating the risk of exploitation
CVE-2024-36991 affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, but only on Windows, and only if the Splunk Web component is turned on.
“Although Splunk is famous mainly for dev environments, up to 230k exposed servers are running Splunk according to Fofa,” the threat researchers noted, and advised admins to implement the patch immediately.
Disabling Splunk Web also removes the risk of exploitation, though upgrading to a fixed version is preferred.
Splunk’s Threat Research team has provided a search query to detect exploitation attempts against /modules/messaging endpoint.