July 19, 2024 at 11:06AM
SonicWall warns that a recently patched Splunk Enterprise vulnerability, CVE-2024-36991, is more severe than initially considered. The vulnerability, with a CVSS score of 7.5, allows for path traversal on the /modules/messaging/ endpoint, potentially granting access to sensitive files. SonicWall urges users to update or disable Splunk Web to mitigate the risk. There are over 220,000 internet-exposed servers running Splunk.
Based on the meeting notes, it is clear that there is a severe vulnerability, tracked as CVE-2024-36991, impacting Splunk Enterprise on Windows versions prior to 9.2.2, 9.1.5, and 9.0.10. The vulnerability could be exploited with a simple GET request, allowing an attacker to perform a path traversal on the /modules/messaging/ endpoint if Splunk Web is enabled on a vulnerable instance.
According to SonicWall, an attacker could exploit this vulnerability to perform a directory listing on the endpoint and potentially gain access to sensitive files on the system. It is also mentioned that proof-of-concept (PoC) code targeting the security defect has been released on GitHub, increasing the risk of exploitation.
SonicWall notes that there are over 220,000 internet-exposed servers running Splunk, although it is unclear how many of these are vulnerable. To mitigate the vulnerability, users are advised to update their Splunk Enterprise on Windows installations as soon as possible or to disable Splunk Web.
Given the severity of the vulnerability and the potential for exploitation, users are strongly encouraged to upgrade their instances in accordance with the Splunk advisory to address the vulnerability.
In summary, it’s critical for organizations using Splunk Enterprise on Windows to take immediate action to address this vulnerability by updating their installations or disabling Splunk Web to mitigate the risk.