CVE-2024-45737
📋 TL;DR
This CSRF vulnerability allows low-privileged Splunk users without admin or power roles to change the maintenance mode state of the App Key Value Store (KVStore). Attackers could trick authenticated users into performing unauthorized actions via malicious web requests. Affected systems include Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6, and Splunk Cloud Platform versions below specific builds.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
An attacker could disrupt KVStore operations by enabling maintenance mode, potentially causing application functionality issues or data access problems for dependent applications.
Likely Case
Limited disruption to specific applications using KVStore, requiring manual intervention to restore normal operations.
If Mitigated
Minimal impact with proper CSRF protections and role-based access controls in place.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into visiting malicious sites while logged into Splunk.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise: 9.3.1, 9.2.3, 9.1.6. Splunk Cloud Platform: 9.2.2403.108, 9.1.2312.204.
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-1007
Restart Required: Yes
Instructions:
1. Backup your Splunk configuration and data. 2. Download the appropriate patch from Splunk's website. 3. Stop Splunk services. 4. Apply the patch following Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the version is updated.
🔧 Temporary Workarounds
Implement CSRF Protection Headers
allAdd CSRF tokens or same-site cookie attributes to protect against cross-site request forgery attacks.
Configure web server to include 'SameSite=Strict' or 'SameSite=Lax' attributes for session cookies
Implement anti-CSRF tokens in web forms
Restrict User Permissions
allReview and minimize low-privileged user access to only necessary functions.
Review Splunk role assignments using Splunk Web or CLI
Remove unnecessary permissions from low-privileged roles
🧯 If You Can't Patch
- Implement network segmentation to isolate Splunk instances from untrusted networks
- Monitor for unusual KVStore maintenance mode changes in audit logs
🔍 How to Verify
Check if Vulnerable:
Check Splunk version via Splunk Web (Settings > Server Info) or CLI command.Check Version:
$SPLUNK_HOME/bin/splunk versionVerify Fix Applied:
Confirm version is at or above patched versions and test CSRF protection mechanisms.📡 Detection & Monitoring
Log Indicators:
- Unexpected KVStore maintenance mode changes in splunkd_access.log or audit logs
- CSRF token validation failures
Network Indicators:
- HTTP POST requests to KVStore maintenance endpoints from unexpected sources
SIEM Query:
index=_audit action="kvstore_maintenance" OR sourcetype=splunkd_access uri="*/services/kvstore/*/maintenance"