Potential Remote Command Execution (RCE) through arbitrary file write to Windows system root directory when Splunk Enterprise for Windows is installed on a separate disk
CVE-2024-45731

8HIGH

Key Information:

Vendor: Splunk
Status: Splunk Enterprise
Vendor: CVE Published:; 14 October 2024

Summary

In Splunk Enterprise for Windows, when installed on a separate drive, a vulnerability exists that allows low-privileged users—without 'admin' or 'power' roles—to write files directly to the Windows system root directory. This results in potential unauthorized access to critical system files, posing serious security implications for affected installations, particularly versions prior to 9.3.1, 9.2.3, and 9.1.6. It is crucial for organizations using these versions to assess their configurations and apply remedial measures as detailed in the Splunk security advisory.

Affected Version(s)

Splunk Enterprise 9.3 < 9.3.1

Splunk Enterprise 9.2 < 9.2.3

Splunk Enterprise 9.1 < 9.1.6

References

https://advisory.splunk.com/advisories/SVD-2024-1001

https://research.splunk.com/application/c97e0704-d9c6-454...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 14, 2024

Credit

Alex Hordijk (hordalex)