Splunk fixed tens of flaws in Splunk Enterprise and Cloud Platform

Technology company Splunk released security updates to address 16 vulnerabilities in Splunk Enterprise and Cloud Platform.

Technology company Splunk addressed 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including four high-severity flaws.

The vulnerability CVE-2024-36985 is a Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise.

“In Splunk Enterprise versions below 9.0.10, 9.1.5, and 9.2.2, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could cause a Remote Code Execution through an external lookup that likely references the “splunk_archiver“ application.” reads the advisory. “The “splunk_archiver“ application likely contains a script called “copybuckets.py“ that itself references a file called “erp_launcher.py“, which would likely execute a script called “sudobash. The “sudobash“ script does not perform any input checking. Therefore it runs a bash shell with arguments supplied by the “erp_launcher.py“ file. This can lead to an RCE.”

Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue, the company also recommends disabling the “splunk_archiver“ application to temporarily mitigate the issue.

The company addressed another high-serverity bug, tracked as CVE-2024-36984, which is a Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows.

“In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.” reads the advisory. “The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload.”

Splunk Enterprise versions 9.2.2, 9.1.5, and 9.0.10, or higher address the issue.

If users do not log in to Splunk Web on indexers in a distributed environment, disabling Splunk Web on those indexers can mitigate the issue.

Below is the list of the addressed flaws:

SVD	Date	Title	Severity	CVE
SVD-2024-0718	2024-07-01	Third-Party Package Updates in Splunk Enterprise – July 2024	High
SVD-2024-0717	2024-07-01	Persistent Cross-site Scripting (XSS) in conf-web/settings REST endpoint	Medium	CVE-2024-36997
SVD-2024-0716	2024-07-01	Information Disclosure of user names	Medium	CVE-2024-36996
SVD-2024-0715	2024-07-01	Low-privileged user could create experimental items	Medium	CVE-2024-36995
SVD-2024-0714	2024-07-01	Persistent Cross-site Scripting (XSS) in Dashboard Elements	Medium	CVE-2024-36994
SVD-2024-0713	2024-07-01	Persistent Cross-site Scripting (XSS) in Web Bulletin	Medium	CVE-2024-36993
SVD-2024-0712	2024-07-01	Persistent Cross-site Scripting (XSS) in Dashboard Elements	Medium	CVE-2024-36992
SVD-2024-0711	2024-07-01	Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows	High	CVE-2024-36991
SVD-2024-0710	2024-07-01	Denial of Service (DoS) on the datamodel/web REST endpoint	Medium	CVE-2024-36990
SVD-2024-0709	2024-07-01	Low-privileged user could create notifications in Splunk Web Bulletin Messages	Medium	CVE-2024-36989
SVD-2024-0708	2024-07-01	OpenSSL crypto library (libcrypto.so) incorrectly compiled with stack execution bit set in Splunk Enterprise and Universal Forwarder on certain operating systems	Informational
SVD-2024-0707	2024-07-01	Insecure File Upload in the indexing/preview REST endpoint	Medium	CVE-2024-36987
SVD-2024-0706	2024-07-01	Risky command safeguards bypass through Search ID query in Analytics Workspace	Medium	CVE-2024-36986
SVD-2024-0705	2024-07-01	Remote Code Execution (RCE) through an external lookup due to “copybuckets.py“ script in the “splunk_archiver“ application in Splunk Enterprise	High	CVE-2024-36985
SVD-2024-0704	2024-07-01	Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows	High	CVE-2024-36984
SVD-2024-0703	2024-07-01	Command Injection using External Lookups	High	CVE-2024-36983
SVD-2024-0702	2024-07-01	Denial of Service through null pointer reference in “cluster/config” REST endpoint	High	CVE-2024-36982
SVD-2024-0701	2024-07-01	Remote Code Execution through dashboard PDF generation component	High

The company did not reveal if vulnerabilities were actively exploited in the wild.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, RCE)