No items found.
October 16, 2024
·
0
Minutes Read

Splunk Enterprise Multiple Vulnerabilities for RCE

Advisory
October 16, 2024
·
0
Minutes Read

Splunk Enterprise Multiple Vulnerabilities for RCE

This is some text inside of a div block.
This is some text inside of a div block.
·
0
Minutes Read
Kudelski Security Team
Find out more
table of contents
Share on
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Summary

Splunk has disclosed several high-severity vulnerabilities in Splunk Enterprise and Splunk Cloud Platform, which allowattackers to execute remote code on vulnerable systems. The vulnerabilities, including CVE-2024-45733, CVE-2024-45731,and CVE-2024-45732, pose serious security risks and demand immediate attention.

In addition to the remote code execution fl aws, Splunk has also addressed vulnerabilities in third-party packages (idna,certifi ) used in the AWS Add-on.

Affected Systems and/or Application⁠

  • Splunk Enterprise for Windows: Versions 9.3.0, 9.2.0 to 9.2.2, 9.1.0 to 9.1.5
  • Splunk Cloud Platform: Component: SplunkDeploymentServerConfig – Versions below 9.1.2308.207, 9.1.2312.100 to9.1.2312.109, 9.2.2403.102 to 9.2.2403.102
  • Splunk Cloud Platform: Component: Splunkd – Versions 9.2.2403.100 to 9.2.2403.106, 9.1.2312.200 to 9.1.2312.203, Below9.1.2312.111⁠
  • Splunk Cloud Platform: Component: Splunk Web – Versions 9.2.2403.100 to 9.2.2403.107, Below 9.1.2312.204
  • Splunk Secure Gateway: Versions 3.6.0 to 3.6.16, Below 3.4.259

Technical Details / Attack Overview

Critical Remote Code Execution (RCE) Vulnerabilities Require Immediate Action

Two major vulnerabilities, CVE-2024-45731and CVE-2024-45733, could allow attackers to execute remote code on affected systems. CVE-2024-45731 affects Windows environments with Splunk installed on a separate disk, enabling attackers to drop malicious DLLs into the root directory. CVE-2024-45733 is tied to insecure session storage in versions below 9.2.3 and 9.1.6.

Threats from Low-Privilege Users

Several flaws, like CVE-2024-45732, grant low-privileged users excessive access, such as running unauthorized searches and exposing sensitive data. Additional vulnerabilities allow viewing of host images, crashing the daemon, and manipulating App Key Value Store settings.

Information Disclosure and XSS Issues

Splunk also addressed vulnerabilities related to information disclosure (CVE-2024-45738, CVE-2024-45739) and cross-site scripting (CVE-2024-45740, CVE-2024-45741), which could expose sensitive data or enable malicious script injection.

Please find below the full list of desclosed vulnerabilities:

SVDDateTitleSeverityCVE
SVD-2024-10122024-10-14Third-Party Package Updates in Splunk Enterprise – October 2024High
SVD-2024-10112024-10-14Persistent Cross-Site Scripting (XSS) via props.conf on Splunk EnterpriseMediumCVE-2024-45741
SVD-2024-10102024-10-14Persistent Cross-Site Scripting (XSS) through Scheduled Views on SplunkEnterpriseMediumCVE-2024-45740
SVD-2024-10092024-10-14Sensitive information disclosure in AdminManager logging channelMediumCVE-2024-45739
SVD-2024-10082024-10-14Sensitive information disclosure in REST_Calls logging channelMediumCVE-2024-45738
SVD-2024-10072024-10-14Maintenance mode state change of App Key Value Store (KVStore) throughCross-Site Request ForgeryMediumCVE-2024-45737
SVD-2024-10062024-10-14Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk DaemonMediumCVE-2024-45736
SVD-2024-10052024-10-14Improper Access Control for low-privileged user in Splunk Secure GatewayAppMediumCVE-2024-45735
SVD-2024-10042024-10-14Low Privilege User can View Images on the Host Machine by using the PDFExport feature in Splunk WebMediumCVE-2024-45734
SVD-2024-10032024-10-14Remote Code Execution (RCE) due to insecure session storage configurationin Splunk EnterpriseHighCVE-2024-45733
SVD-2024-10022024-10-14Low-privileged user could run search as nobody inSplunkDeploymentServerConfig appHighCVE-2024-45732
SVD-2024-10012024-10-14Potential Remote Command Execution (RCE) through arbitrary file write toWindows system root directoryHighCVE-2024-45731

Recommendations

  1. Uppgrade Immediately:
    • Splunk Enterprise: Upgrade to 9.3.1, 9.2.3, or 9.1.6 or later.
    • Splunk Cloud Platform: Ensure your instance is patched by Splunk.
  2. Mitigation:
    • Disable Splunk Web on vulnerable systems.
    • Modify access permissions in the SplunkDeploymentServerConfig app.
    • Avoid installing Splunk on a separate disk from the system drive.

Additional Information: Splunk has also addressed vulnerabilities in third-party packages (idna, certifi) used in the AWSAdd-on.

Action Required: Apply patches immediately and review security settings to prevent exploitation.

Detection: To detect potential exploitation related to CVE-2024-45731 and CVE-2024-45733, Splunk has releasedcorresponding correlation search: Detection: Splunk RCE Through Arbitrary File Write to Windows System Root | SplunkSecurity Content

What is the CFC doing ?

The CFC will identify and patch affected versions immediatelly to mitigate potential attacks. We will continue to monitorthe situation and send an advisory update if needed.

References

Related Post
July 23, 2025
Security Advisory:
July 23, 2025
Kudelski Security Team

Microsoft SharePoint On-Premise Vulnerability (CVE-2025-53770) Under Active Exploitation

July 14, 2025
Security Advisory:
July 14, 2025
Kudelski Security Team

Adversary Infrastructure and Indicators Behind the SAP NetWeaver 0-Day Exploitation

July 7, 2025
Security Advisory:
July 7, 2025
Kudelski Security Team

Persistent Exploitation of ASP.NET Components Fuels Remote Code Execution Attacks