CVE-2024-23676 - Splunk Unauthorized Metrics Rollup Viewing for Low-Privileged Users in Versions Below 9..8 and 9.1.3

Today we discuss a newly discovered vulnerability, identified as CVE-2024-23676, impacting Splunk versions below 9..8 and 9.1.3. This vulnerability allows a low-privileged user to view metrics data on an index they do not have permission to view by utilizing the mrollup SPL command. While exploitation requires user interaction from a high-privileged user, this poses a significant risk to the confidentiality and integrity of enterprise-critical data.

Vulnerability Details

The mrollup SPL (Search Processing Language) command in Splunk is designed to produce a summarized view of metrics data. With this vulnerability, an attacker with low-privilege access can execute an mrollup command on an index which they do not have permission to view, subsequently accessing unauthorized metrics data. To successfully exploit this vulnerability, the attacker must induce a high-privileged user to perform an action that triggers the mrollup command execution.

Here's an example of how an attacker could abuse the mrollup command

| mrollup index=* my_metric_name1 my_metric_name2 span=1h window=s

In this example, the attacker utilizes the mrollup command to view metrics data on all indexes (index=*), specifically targeting my_metric_name1 and my_metric_name2 data using a time span of one hour (span=1h) and a window of seconds.

Exploitation

To exploit this vulnerability, the attacker requires user interaction from a high-privileged user. This can be achieved through different techniques such as:

1. Social engineering: The attacker convinces the high-privileged user to execute a malicious SPL query containing the mrollup command.
2. User Interface manipulation: The attacker can design a malicious dashboard that triggers the mrollup command execution when the high-privileged user interacts with it.

Affected Versions and Mitigations

This vulnerability affects Splunk versions below 9..8 and 9.1.3. The Splunk Security Advisory outlines that users should upgrade their Splunk deployments to version 9..8 or 9.1.3 as a mitigation for this vulnerability.

Conclusion

CVE-2024-23676 represents a critical vulnerability in Splunk that allows unauthorized access to metrics data, posing a risk to the confidentiality and integrity of critical enterprise information. Ensuring that your organization's Splunk deployment is updated to version 9..8 or 9.1.3 is essential to mitigating this vulnerability. Additionally, it is recommended that organizations foster a security-aware culture that empowers users, especially those with high-privilege access, to make informed decisions when interacting with potentially malicious queries or dashboards.

Timeline

Published on: 01/22/2024 21:15:10 UTC
Last modified on: 01/29/2024 17:57:24 UTC