Plattform
splunk
Komponente
splunk-enterprise
Behoben in
9.3.1
9.2.3
9.1.6
CVE-2024-45731 describes an Arbitrary File Access vulnerability discovered in Splunk Enterprise for Windows. This flaw allows a low-privileged user, lacking administrative privileges, to write files to the Windows system root directory, specifically the System32 folder, when Splunk Enterprise for Windows is installed on a separate drive. The vulnerability impacts versions 9.1 through 9.3.0, and a fix is available in versions 9.3.1, 9.2.3, and 9.1.6.
The primary impact of CVE-2024-45731 is the ability for a non-administrative user to write files to the Windows System32 directory. This could be exploited to overwrite critical system files, execute malicious code, or escalate privileges. Attackers could potentially inject malicious DLLs, modify system configurations, or even gain control of the entire system. The ability to write to the system root directory bypasses standard security controls and represents a severe compromise. While the vulnerability requires a user to already have access to the Splunk Enterprise environment, it significantly lowers the barrier to entry for malicious activity.
CVE-2024-45731 was publicly disclosed on 2024-10-14. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely to be medium, given the potential impact and the lack of public exploits, but the ease of exploitation once a PoC is available could increase the score.
Organizations utilizing Splunk Enterprise for Windows, particularly those with deployments on separate drives and with less stringent access control configurations, are at risk. Environments with legacy Splunk deployments or those that haven't consistently applied security patches are especially vulnerable. Shared hosting environments where Splunk is installed could also be affected if the underlying host system is compromised.
• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.Principal.Identity.Name -like "*splunk*"}• windows / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like "*splunk*"} | Select-Object -ExpandProperty CommandLine• windows / supply-chain:
Get-WinEvent -LogName Security -Filter "EventID=4663" -MaxEvents 100 | Where-Object {$_.Properties[0].Value -like "*splunk*"}disclosure
Exploit-Status
EPSS
0.78% (74% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-45731 is to upgrade Splunk Enterprise for Windows to version 9.3.1, 9.2.3, or 9.1.6. If immediate upgrading is not possible, consider restricting user permissions within Splunk to prevent low-privileged users from performing file operations. Implement strict file system access controls on the Windows system to limit write access to the System32 directory. Monitor Splunk logs for any unusual file creation or modification activity. After upgrading, verify the fix by attempting to create a file in the System32 directory using a non-administrative Splunk user account; the operation should fail.
Actualice Splunk Enterprise a la versión 9.3.1, 9.2.3 o 9.1.6 o superior. Esto corrige la vulnerabilidad que permite la escritura arbitraria de archivos en el directorio raíz del sistema Windows. La actualización mitiga el riesgo de ejecución remota de comandos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-45731 is a HIGH severity vulnerability allowing low-privileged users to write files to the Windows System32 directory in Splunk Enterprise versions 9.1–9.3.0, potentially leading to system instability or code execution.
You are affected if you are running Splunk Enterprise for Windows versions 9.1, 9.2, or 9.3.0. Upgrade to 9.3.1, 9.2.3, or 9.1.6 to mitigate the risk.
Upgrade Splunk Enterprise for Windows to version 9.3.1, 9.2.3, or 9.1.6. As a temporary workaround, restrict file system permissions for the Splunk user account.
There is currently no evidence of active exploitation in the wild, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the official Splunk Security Advisory: [https://capital.splunk.com/#!/advisory/SPL-24-033](https://capital.splunk.com/#!/advisory/SPL-24-033)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.