Critical Splunk Vulnerability CVE 2024 36991: Patch Now to Prevent Arbitrary File Reads

Overview

The SonicWall Capture Labs threat research team became aware of an arbitrary file read vulnerability affecting Splunk Enterprise installations. Identified as CVE-2024-36991 and given a CVSSv3 score of 7.5, the vulnerability is more severe than it initially appeared. Labeled as a path traversal vulnerability and categorized as CWE-35, this vulnerability allows attackers to traverse the file system to access files or directories outside the restricted directory. Splunk software uses computer-generated data to track, scan, analyze and visualize it in real-time. It is used for business and web analytics, application management, compliance, and security.

A proof of concept is publicly available on GitHub. In Splunk Enterprise, versions below 9.2.2, 9.1.5 and 9.0.10 are vulnerable. An attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise with Splunk Web enabled. Although Splunk is famous mainly for dev environments, up to 230k exposed servers are running Splunk according to Fofa. Splunk has released a patch, and it is advisable to update it immediately.

Technical Overview

The vulnerability exists because of the Python os.path.join function that removes the drive letter from path tokens if the drive in the token matches the drive in the built path. The function os.path.join() takes multiple path components as arguments and concatenates them into a single path. It ensures that the correct path separator is used according to the operating system, as shown in Figure 1.

[Link]

Figure 1: os.path.join() function

Windows has a concept of a current directory for each drive. Due to that, "C: source dir" means "source dir" inside the current C: directory.

[Link]

Figure 2: Directory listing on Windows and Linux

According to the os.path.join documentation, the drive is not reset on Windows when a rooted path segment (e.g., d'\foo') is encountered. If a segment is on a different drive or is an absolute path, all previous segments are ignored, and the drive is reset.

[Link]

Figure 3: Absolute path as Output in Python os.path.join () function

The CVE-2024-36991 flaw leverages the os.path.join function allowing an attacker to perform a directory listing on the Splunk endpoint, potentially enabling unauthorized access to sensitive files on the system. The issue is confined to instances of Splunk Enterprise with Splunk Web enabled.

Figure 4 shows utilizing a sample path traversal crafted GET request that can impact vulnerable Splunk Enterprise instances and lead to arbitrary file reads.

[Link]

Figure 4: CVE-2024-36991 attack request

Exploiting the Vulnerability

A crafted GET request to a vulnerable Splunk instance with Splunk Web enabled is necessary and sufficient to exploit the issue. An attacker only needs to be able to access the instance remotely, which could be over the Internet or a local network. A working PoC with a crafted GET request aids in exploiting this vulnerability. Figure 5 is a demonstration of exploitation leveraging the publicly available PoC.

Figure 5: CVE-2024-36991 Exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 4469 - Splunk Enterprise Path Traversal

Remediation Recommendations

Administrators could turn Splunk Web off as a possible workaround. Secondly, they could disable unnecessary Splunk Enterprise components in the web.conf configuration specification file on active Splunk Enterprise.

Considering the severe consequences of this vulnerability and the trend of nefarious actors trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their instances in accordance with the Splunk advisory to address the vulnerability.

Relevant Links

• NVD
• GitHub PoC
• Splunk
• Splunk Advisory
• python os.path.join()
• CVE-2024-36991-blog