CVE-2024-36987
📋 TL;DR
This vulnerability allows authenticated low-privileged users in Splunk Enterprise and Splunk Cloud Platform to upload files with arbitrary extensions via the indexing/preview REST endpoint. This could enable attackers to upload malicious files to the system. Affected users are those running vulnerable versions of Splunk Enterprise below 9.2.2, 9.1.5, or 9.0.10, or Splunk Cloud Platform below 9.1.2312.200.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Cloud by Splunk
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
An attacker could upload malicious files that might be executed in certain contexts, potentially leading to remote code execution or data exfiltration.
Likely Case
Attackers could upload malicious scripts or configuration files that might be executed by other processes or users, potentially leading to privilege escalation or persistence.
If Mitigated
With proper access controls and monitoring, the impact is limited to unauthorized file uploads that can be detected and removed before causing harm.
🎯 Exploit Status
Exploitation requires authenticated access but with low privileges; the vulnerability is in a REST endpoint that should be accessible to authenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise 9.2.2, 9.1.5, or 9.0.10; Splunk Cloud Platform 9.1.2312.200 or later
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0707
Restart Required: Yes
Instructions:
1. Backup your Splunk configuration and data. 2. Download the appropriate patch from Splunk's website. 3. Stop Splunk services. 4. Apply the patch according to Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the version is updated.
🔧 Temporary Workarounds
Restrict access to indexing/preview endpoint
allModify Splunk's access controls to restrict low-privileged users from accessing the vulnerable REST endpoint.
Consult Splunk documentation for role-based access control configuration specific to your version.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Splunk instances from untrusted networks.
- Enhance monitoring and alerting for unusual file upload activities via Splunk logs.
🔍 How to Verify
Check if Vulnerable:
Check your Splunk version via the web interface (Settings > Server settings > General settings) or CLI.Check Version:
On Linux: /opt/splunk/bin/splunk version; On Windows: "C:\Program Files\Splunk\bin\splunk.exe" versionVerify Fix Applied:
Verify the version is at or above the patched versions: 9.2.2, 9.1.5, or 9.0.10 for Enterprise; 9.1.2312.200 or later for Cloud Platform.📡 Detection & Monitoring
Log Indicators:
- Look for unusual file upload activities in Splunk's internal logs, especially via the indexing/preview endpoint.
Network Indicators:
- Monitor for unexpected HTTP POST requests to /services/data/indexes/preview or similar REST endpoints.
SIEM Query:
index=_internal source=*splunkd* (indexing/preview OR upload) | stats count by user, src_ip