Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now
Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk to organizations utilizing Splunk Enterprise and Splunk Cloud Platform.
The vulnerabilities, identified as CVE-2024-29945 and CVE-2024-29946, have been rated high in severity with CVSS scores of 7.2 and 8.1, respectively.
These security flaws could potentially allow attackers to expose authentication tokens and bypass safeguards for risky commands, underscoring the urgent need for affected users to apply the provided patches.
Authentication Tokens Exposure
The first vulnerability, CVE-2024-29945, affects Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9. It involves the exposure of authentication tokens during the token validation process, which could occur when Splunk Enterprise is running in debug mode or when the JsonWebToken component is configured to log its activity at the DEBUG logging level.
Normally, Splunk Enterprise operates with debug mode and token authentication turned off, and the JsonWebToken process is configured at the INFO logging level.
However, if exploited, this vulnerability could allow unauthorized access to sensitive data, as the exposure would require either local access to the log files or administrative access to internal indexes.
Cisco recently acquired Splunk in a mega deal worth a staggering $28 billion. This acquisition is expected to have significant implications for both companies, as the deal brings together two tech giants with complementary strengths and expertise.
Risky SPL commands
The second vulnerability, CVE-2024-29946, impacts Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, as well as Splunk Cloud Platform versions below 9.1.2312.100.
This flaw resides in the Dashboard Examples Hub of the Splunk Dashboard Studio app, where it lacks protections for risky SPL (Search Processing Language) commands.
Consequently, attackers could bypass SPL safeguards for risky commands with the permissions of a highly-privileged user in the Hub. The exploitation of this vulnerability would typically require the attacker to phish the victim by tricking them into initiating a request within their browser.
Splunk has responded to these vulnerabilities by releasing patches for the affected versions and providing mitigation strategies for users unable to upgrade immediately.
For CVE-2024-29945, users are advised to turn off debug mode, restart the instance without using the –debug argument, and rotate any potentially exposed authentication tokens.
For CVE-2024-29946, Splunk recommends upgrading to the fixed versions or, if the Dashboard Examples Hub is not in use, disabling or deleting the app. Additionally, turning off Splunk Web is suggested as a likely workaround.
Splunk has recently released patches to address a security flaw and as part of this update, they have also provided Third-Party Package Updates for their Splunk Universal Forwarder and Splunk Enterprise products.
These vulnerabilities highlight the importance of maintaining up-to-date software and adhering to best security practices.
Organizations using Splunk are urged to review their systems, apply the necessary patches, and follow the recommended mitigation strategies to protect their data and infrastructure from potential threats.
Source: https://bit.ly/3uS5LZ2