CVE-2024-45731

Relative Path Traversal (CWE-23)

Published: Oct 14, 2024 / Updated: 36d ago

010
CVSS 8EPSS 0.04%High
CVE info copied to clipboard

Summary

In Splunk Enterprise for Windows versions below 9.3.1, 9.2.3, and 9.1.6, a low-privileged user that does not hold the "admin" or "power" Splunk roles could write a file to the Windows system root directory, which has a default location in the Windows System32 folder, when Splunk Enterprise for Windows is installed on a separate drive.

Impact

This vulnerability allows a low-privileged user to write files to the Windows system root directory (typically the System32 folder). This could lead to privilege escalation, system compromise, or the execution of malicious code with elevated permissions. The potential impacts include unauthorized access to sensitive data, system instability, and complete system takeover. Given the high confidentiality, integrity, and availability impacts, this vulnerability could severely affect the security and functionality of the affected systems.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Splunk has released updates to address this vulnerability in versions 9.3.1, 9.2.3, and 9.1.6 of Splunk Enterprise for Windows.

Mitigation

1. Update Splunk Enterprise for Windows to the latest patched versions: 9.3.1, 9.2.3, or 9.1.6, depending on your current major version. 2. If immediate patching is not possible, restrict access to Splunk Enterprise, especially for low-privileged users. 3. Monitor and audit file write activities in the Windows system root directory for any suspicious behavior. 4. Implement the principle of least privilege, ensuring users have only the necessary permissions. 5. Consider implementing additional access controls or file system restrictions to prevent unauthorized writes to critical system directories.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-45731

Oct 14, 2024 at 5:15 PM
CVSS

A CVSS base score of 8 has been assigned.

Oct 14, 2024 at 5:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-45731. See article

Oct 14, 2024 at 5:23 PM / Vulners.com RSS Feed
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208947)

Oct 15, 2024 at 1:15 AM
Threat Intelligence Report

CVE-2024-45731 is classified as a medium-risk vulnerability, with a total of 11 vulnerabilities identified. A patch is available to address this issue, but no specific details regarding exploitation in the wild, proof-of-concept exploits, mitigations, detections, or downstream impacts on third-party vendors or technology are provided. See article

Oct 15, 2024 at 7:55 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 15, 2024 at 10:16 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 15, 2024 at 2:35 PM
Static CVE Timeline Graph

Affected Systems

Splunk/splunk
+null more

Patches

advisory.splunk.com
+null more

Attack Patterns

CAPEC-139: Relative Path Traversal
+null more

References

Splunk Advisories
Classification: Severe, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 8.8, CVEs: CVE-2024-45731, CVE-2024-45732, CVE-2024-45733, CVE-2024-45734, CVE-2024-45735, CVE-2024-45736, CVE-2024-45737, CVE-2024-45738, CVE-2024-45739, CVE-2024-45740, CVE-2024-45741, Summary: Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on Windows In Splunk Enterprise for Windows versions below 9.2.3 and 9.1.6, a low-privileged user that does not hold the “admin” or “power” Splunk roles could perform a Remote Code Execution (RCE) due to insecure session storage configuration. https://advisory.splunk.com/advisories/SVD-2024-1001 Potential Remote Command Execution (RCE) through arbitrary file write to Windows system root directory when Splunk Enterprise for Windows is installed on a separate disk https://advisory.splunk.com/advisories/SVD-2024-1002 Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app Lower severity advisories: SVD-2024-1004 Low Privilege User can View Images on the Host Machine by using the PDF Export feature in Splunk Classic Dashboard Medium CVE-2024-45734 SVD-2024-1005 Improper Access Control for low-privileged user in Splunk Secure Gateway App Medium CVE-2024-45735 SVD-2024-1006 Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon Medium CVE-2024-45736 SVD-2024-1007 Maintenance mode state change of App Key Value Store (KVStore) through Cross-Site Request Forgery (CSRF) Medium CVE-2024-45737 SVD-2024-1008 Sensitive information disclosure in REST_Calls logging channel Medium CVE-2024-45738 SVD-2024-1009 Sensitive information disclosure in AdminManager logging channelMedium CVE-2024-45739 SVD-2024-1010 Persistent Cross-Site Scripting (XSS) through Scheduled Views on Splunk Enterprise Medium CVE-2024-45740 SVD-2024-1011 Persistent Cross-Site Scripting (XSS) via props.conf on Splunk Enterprise Medium CVE-2024-45741
Multiple Vulnerabilities in Splunk Enterprise and Splunk Cloud
The vulnerability CVE-2024-45731, with a CVSS score of 8.0, could allow a low-privileged user that does not hold the “admin” or “power” Splunk roles to write a file to the Windows system root directory, which has a default location in the Windows folder, when Splunk Enterprise for Windows is installed on a separate drive. The vulnerability CVE-2024-45733, with a CVSS score of 8.8, could allow a low-privileged user that does not hold the “admin” or “power” Splunk roles to perform a Remote Code Execution (RCE) due to an insecure session storage configuration.
2024-111: Multiple Vulnerabilities in Splunk Enterprise and Splunk Cloud
The vulnerability CVE-2024-45731, with a CVSS score of 8.0, could allow a low-privileged user that does not hold the “admin” or “power” Splunk roles to write a file to the Windows system root directory, which has a default location in the Windows folder, when Splunk Enterprise for Windows is installed on a separate drive. The vulnerability CVE-2024-45733, with a CVSS score of 8.8, could allow a low-privileged user that does not hold the “admin” or “power” Splunk roles to perform a Remote Code Execution (RCE) due to an insecure session storage configuration.
See 4 more references

News

Security Advisory On Critical Issues
A low-privileged attacker can exploit this vulnerability by writing a file to the Windows system root directory if Splunk is installed on a separate drive, potentially allowing the attacker to load a malicious DLL and execute code remotely. The remaining vulnerabilities fall into the medium and low categories, reflecting a range of potential threats that organizations using Splunk need to address urgently.
Splunk’s Recent Security Advisory: Addressing Vulnerabilities in Splunk Enterprise
A low-privileged attacker can exploit this vulnerability by writing a file to the Windows system root directory if Splunk is installed on a separate drive, potentially allowing the attacker to load a malicious DLL and execute code remotely. The advisory categorizes these Splunk vulnerabilities into three main classifications based on their Common Vulnerability Scoring System (CVSS) base scores, highlighting two critical high-risk issues, eight medium-risk vulnerabilities, and one low-risk vulnerability.
Splunk’s Latest Advisory: Addressing Multiple Vulnerabilities in Splunk Enterprise
Importantly, Splunk has confirmed that patches are available for all identified vulnerabilities, urging users to implement them promptly to mitigate potential risks. CVE-2024-45731 addresses a critical remote code execution vulnerability, receiving a CVSS score of 8.0, classified as high.
Splunk’s Latest Advisory: Addressing Multiple Vulnerabilities in Splunk Enterprise
CVE-2024-45731 addresses a critical remote code execution vulnerability, receiving a CVSS score of 8.0, classified as high. Importantly, Splunk has confirmed that patches are available for all identified vulnerabilities, urging users to implement them promptly to mitigate potential risks.
Cyber News Roundup for October 18, 2024
From drones probing military bases to critical vulnerabilities in widely used software and hackers exploiting outdated physical access controls, organizations and governments face a wide range of risks that demand immediate attention and action. As reported by researchers at Trend Micro, the group is deploying a backdoor that uses Microsoft Exchange servers to steal credentials and which exploits a known Windows flaw to elevate their privileges on compromised devices.
See 26 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI