Summary:
A new vulnerability, CVE-2024-23676, hits Splunk users hard. It lets a low-privileged user peek at metrics data from indexes they are supposed not to access, using the mrollup SPL command. This is possible in Splunk Enterprise versions before 9..8 and 9.1.3, and needs the cooperation (intentional or not) of a high-privileged user. In this post, let’s break down this vulnerability in simple terms, show exploit steps, include code snippets, and give exclusive insight for admins and users.
What is CVE-2024-23676?
Splunk is a popular platform for searching, monitoring, and analyzing machine-generated big data. It has permissions-based controls: users shouldn’t see what they are not allowed to.
With CVE-2024-23676, however, the mrollup command can be exploited by a user with low privileges to view metrics from indexes that they’re not authorized to access. The catch: a high-privileged user has to run a crafted SPL query from the low-privileged user.
Splunk’s advisory:
https://advisory.splunk.com/advisories/SVD-2024-0602
Exploit Flow
1. Low-privileged user crafts a malicious search query using mrollup that references a restricted index.
2. High-privileged user is fooled or convinced to run this query, for example by importing a search saved/shared by the attacker, running a report, or opening a scheduled alert.
Here’s a simple query using mrollup
| mrollup index=secret_index
Step 2. Deliver Payload to Victim User
- Save the query as a report or dashboard panel and share or assign ownership to the high-privileged user.
Step 3. Victim Runs the Query
- Victim launches the report or alert. Because their session has access to secret_index, the mrollup runs successfully.
Step 4. Leak the Data
- Results are now visible to the low-privileged attacker, depending how the sharing/report output is configured. Even if the direct search is not exposed, the metrics might be sent in email, web widgets, or dashboards the attacker can see.
Suppose the attacker wants to get metric names and measurements from a forbidden metrics index
| mrollup index=finance_metrics
| table _time, metric_name, value
- Use time and filters to target specific metrics
| mrollup index=finance_metrics metric_name="confidential.revenue"
| stats sum(value)
With mrollup, the permissions are determined by the user who executes the search.
- If a search or report is triggered in the context of an admin, but crafted by a low-privileged user, it runs as the admin and leaks the results back.
Patch immediately to 9..8 or 9.1.3 or later.
Real-World Exploit Scenario
- A junior analyst (attacker) creates a dashboard panel with a hidden mrollup query against the CFO’s metrics index.
Assigns the panel to a dashboard the CFO uses.
- When the CFO loads the dashboard, her credentials are used, and the metrics output is displayed or stored in a way the analyst can recover.
Conclusion
CVE-2024-23676 shows how subtle bugs in data analysis platforms like Splunk can break fundamental security promises.
If you run Splunk:
Patch now and review shared searches and dashboards.
Further reading & references:
- Splunk official advisory (SVD-2024-0602)
- Splunk mrollup official docs
- Download the patched Splunk Enterprise
Stay vigilant. Even low-privileged users can open big doors if you’re not careful.
*This writeup is exclusive, summarized in plain American language, and demonstrates both the exploit method using SPL code and the simple steps defenders should follow. Patch your Splunk now!*
Timeline
Published on: 01/22/2024 21:15:10 UTC
Last modified on: 01/29/2024 17:57:24 UTC