CVE-2024-45739 – Splunk Enterprise versions below 9.3.1, 9.2.3, ... (How to Fix)

Q: What is the severity of CVE-2024-45739?

CVE-2024-45739 has a CVSS score of 4.9 (MEDIUM). Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 may log plaintext passwords for local native authentication users when the AdminManager log channel is set to DEBUG level. This affects organizations using Splunk Enterprise with local user authentication and DEBUG logging enabled for AdminManager.

📋 TL;DR

Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 may log plaintext passwords for local native authentication users when the AdminManager log channel is set to DEBUG level. This affects organizations using Splunk Enterprise with local user authentication and DEBUG logging enabled for AdminManager.

💻 Affected Systems

Products:

Splunk Enterprise

Versions: Versions below 9.3.1, 9.2.3, and 9.1.6

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when AdminManager log channel is configured at DEBUG logging level. Default logging levels do not expose passwords.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with access to log files could harvest plaintext passwords for local Splunk users, potentially gaining administrative access to the Splunk instance and sensitive data.

🟠

Likely Case

Internal users or attackers with existing log access could discover passwords, leading to unauthorized Splunk access and potential data exposure.

🟢

If Mitigated

With DEBUG logging disabled for AdminManager, passwords remain protected in logs, limiting exposure to standard logging levels.

🌐 Internet-Facing: MEDIUM - If Splunk web interface is internet-accessible and logs are exposed, attackers could potentially access password data.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts with log access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires access to log files where passwords are exposed.

Exploitation requires existing access to Splunk logs or the ability to read log files through other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.3.1, 9.2.3, or 9.1.6

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-1009

Restart Required: Yes

Instructions:

1. Backup Splunk configuration and data. 2. Download appropriate patched version from Splunk downloads. 3. Stop Splunk services. 4. Install update following Splunk upgrade documentation. 5. Restart Splunk services. 6. Verify version and functionality.

🔧 Temporary Workarounds

Disable DEBUG logging for AdminManager

all

Change AdminManager log channel from DEBUG to INFO or higher level to prevent password logging.

Edit $SPLUNK_HOME/etc/log.cfg or use Splunk CLI to modify logging levels

🧯 If You Can't Patch

Ensure AdminManager log channel is not set to DEBUG level
Restrict access to Splunk log files to authorized administrators only

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface (Settings > Server Info) or CLI, and verify AdminManager logging level in log.cfg.

Check Version:

$SPLUNK_HOME/bin/splunk version

Verify Fix Applied:

Confirm Splunk version is 9.3.1, 9.2.3, or 9.1.6 or higher, and test that passwords are not logged in DEBUG mode.

📡 Detection & Monitoring

Log Indicators:

Plaintext passwords appearing in splunkd.log or other log files
DEBUG level logging entries containing authentication data

Network Indicators:

Unauthorized access attempts to Splunk log files

SIEM Query:

index=_internal source=*splunkd.log "password" DEBUG | table _time, host, source, _raw

📊 Metadata

CVE ID: CVE-2024-45739

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: October 14, 2024

Last Updated: October 17, 2024

🔗 References

https://advisory.splunk.com/advisories/SVD-2024-1009 Vendor Advisory
https://research.splunk.com/application/93dc7182-c5da-4085-82ec-401abf33d623/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45739, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable DEBUG logging for AdminManager

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities