SonicWall Warns of Increased Severity in Recently Patched Splunk Enterprise Vulnerability
A recent advisory from SonicWall has highlighted that a vulnerability in Splunk Enterprise, which was recently patched, is more severe than initially thought and can be exploited with a simple GET request.
The vulnerability, identified as CVE-2024-36991 with a CVSS score of 7.5, is a path traversal bug affecting Splunk Enterprise on Windows versions earlier than 9.2.2, 9.1.5, and 9.0.10. Patches for this flaw were released by Splunk on July 1.
An attacker could leverage this vulnerability to perform a path traversal on the /modules/messaging/ endpoint, assuming Splunk Web is enabled on a vulnerable instance.
Splunk's advisory explains, “The vulnerability exists because the Python os.path.join function removes the drive letter from path tokens if the drive in the token matches the drive in the built path.”
SonicWall has emphasized that exploiting CVE-2024-36991 could allow an attacker to perform a directory listing on the endpoint, potentially exposing sensitive files on the system.
According to SonicWall, “A crafted GET request to a vulnerable Splunk instance with Splunk Web enabled is necessary and sufficient to exploit the issue. An attacker only needs to be able to access the instance remotely, whether over the Internet or a local network.”
The urgency is heightened by the release of proof-of-concept (PoC) code targeting this vulnerability on GitHub, which increases the risk of exploitation.
Moreover, SonicWall points out that over 220,000 internet-exposed servers are running Splunk, although the number of vulnerable instances remains uncertain.
Users are strongly advised to update their Splunk Enterprise on Windows installations immediately or disable Splunk Web to mitigate the risk.
SonicWall concludes, “Considering the severe consequences of this vulnerability and the trend of nefarious actors trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their instances in accordance with the Splunk advisory to address the vulnerability.”
Source pentest-tools

No comments:
Post a Comment