CVE-2024-23678 - Exploiting Path Sanitization and Unsafe Deserialization in Splunk Enterprise for Windows

A new vulnerability, known as CVE-2024-23678, affects Splunk Enterprise for Windows versions below 9..8 and 9.1.3. As a highly popular platform for data analytics, Splunk's widespread use in organizations means that security risks must be addressed swiftly. This blog post will discuss the vulnerability in detail, provide code snippets to demonstrate the exploit, and offer guidance for mitigation through updating to safer versions of the software.

Vulnerability Overview

The issue stems from Splunk Enterprise's failure to properly sanitize path input data. This leads to the unsafe deserialization of untrusted data from a separate disk partition on the machine. Importantly, this vulnerability only impacts Splunk Enterprise for Windows.

Original Vulnerability Reference

Splunk Advisory: https://www.splunk.com/view/SP-CAAAPEH

Exploiting CVE-2024-23678

To exploit this vulnerability, an attacker must have write access to a separate disk partition on the victim's server. With this access, they could craft malicious data, save it on the separate disk partition, and then trick the Splunk Enterprise software into processing and deserializing the malicious data by providing a fake path.

For instance, an attacker could create a malicious file with the following content

{
  "__type": "MyNamespace.ExploitClass, MyExploitAssembly",
  "InjectedCode": "MALICIOUS_CODE_HERE"
}

By saving this file on the separate disk partition and crafting a path that points to this file, the attacker could force Splunk to deserialize and execute the malicious code.

To demonstrate this exploit, the following code snippet illustrates a possible path manipulation using C#:

using System;
using System.IO;

namespace CVE_2024_23678_Exploit
{
    class Program
    {
        static void Main(string[] args)
        {
            string filePath = @"D:\malicious\payload.json";
            string craftedPath = @"C:\Splunk\Input\..\..\..\..\D:\malicious\payload.json";

            Console.WriteLine("Original file path: " + filePath);
            Console.WriteLine("Crafted file path: " + Path.GetFullPath(craftedPath));
        }
    }
}

Notably, the crafted path (C:\Splunk\Input\..\..\..\..\D:\malicious\payload.json) takes advantage of traversing back through the directory structure. When processed by Splunk, it would resolve to the malicious file stored on the separate disk partition (_D:\malicious\payload.json_).

Mitigation Steps

As this vulnerability exists in Splunk Enterprise for Windows versions below 9..8 and 9.1.3, affected users should immediately update to a more secure version. Splunk has released software updates addressing this vulnerability:

Splunk Enterprise version 9.1.x: Update to 9.1.3

These updates enforce proper path sanitization, eliminating the risk of malicious code execution via unsafe deserialization.

Conclusion

CVE-2024-23678 poses a serious risk to Splunk Enterprise for Windows users. By exploiting a lack of path sanitization, attackers can execute arbitrary code and potentially compromise an organization's analytics and monitoring infrastructure. It is vital that users update their Splunk installations to the latest, secure version to protect their systems from this threat.

Timeline

Published on: 01/22/2024 21:15:10 UTC
Last modified on: 01/29/2024 17:44:47 UTC