CVE-2024-45733 – In Splunk Enterprise for Windows, low-privilege... (How to Fix)

Q: What is the severity of CVE-2024-45733?

CVE-2024-45733 has a CVSS score of 8.8 (HIGH). In Splunk Enterprise for Windows, low-privileged users without admin or power roles can achieve remote code execution due to insecure session storage. This affects Windows installations of Splunk Enterprise versions below 9.2.3 and 9.1.6. Attackers could execute arbitrary code on vulnerable Splunk servers.

📋 TL;DR

In Splunk Enterprise for Windows, low-privileged users without admin or power roles can achieve remote code execution due to insecure session storage. This affects Windows installations of Splunk Enterprise versions below 9.2.3 and 9.1.6. Attackers could execute arbitrary code on vulnerable Splunk servers.

💻 Affected Systems

Products:

Splunk Enterprise

Versions: Windows versions below 9.2.3 and 9.1.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations. Linux and other platforms are not vulnerable.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary code with Splunk service privileges, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Attacker gains initial foothold on Splunk server, potentially escalating privileges to compromise the entire Splunk environment and access sensitive log data.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent low-privileged users from reaching vulnerable endpoints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated low-privileged user access. The CWE-502 (Deserialization of Untrusted Data) suggests exploitation is relatively straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.3 or 9.1.6

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-1003

Restart Required: Yes

Instructions:

1. Backup Splunk configuration and data. 2. Download and install Splunk Enterprise version 9.2.3 or 9.1.6 from Splunk downloads. 3. Restart Splunk services. 4. Verify successful upgrade.

🔧 Temporary Workarounds

Restrict User Access

all

Limit low-privileged user access to Splunk web interface and APIs

Network Segmentation

all

Isolate Splunk servers from general user networks

🧯 If You Can't Patch

Implement strict network access controls to limit which users can reach Splunk interfaces
Review and minimize low-privileged user accounts with Splunk access

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface (Settings > Server Info) or command line: splunk version

Check Version:

splunk version

Verify Fix Applied:

Confirm version is 9.2.3 or higher (for 9.2.x) or 9.1.6 or higher (for 9.1.x)

📡 Detection & Monitoring

Log Indicators:

Unusual session creation/modification by low-privileged users
Unexpected process execution from Splunk context
Authentication attempts from unexpected sources

Network Indicators:

Unusual outbound connections from Splunk servers
Suspicious API calls to session management endpoints

SIEM Query:

index=_internal source=*web_access.log (status=200 OR status=302) user!=admin user!=power | stats count by user, clientip, uri_path

📊 Metadata

CVE ID: CVE-2024-45733

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 14, 2024

Last Updated: October 16, 2024

🔗 References

https://advisory.splunk.com/advisories/SVD-2024-1003 Vendor Advisory
https://research.splunk.com/application/c97e0704-d9c6-454d-89ba-1510a987bf72/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45733, you might also want to check these: