Vulnerability in Splunk Secure Gateway App Allows Remote Code Execution

A security vulnerability (CVE-2024-53247) has been discovered in the Splunk Secure Gateway app and the Splunk Enterprise platform. This vulnerability enables attackers with low-level user privileges to execute arbitrary code remotely, posing a significant threat to system security.

Details of the Vulnerability

The vulnerability affects several versions of Splunk Enterprise and Splunk Cloud Platform with the Splunk Secure Gateway app. It is caused by unsafe data deserialization due to improper use of the jsonpickle Python library. This allows attackers to execute code without administrator or high-level privileges.

Affected Versions:

  • Splunk Enterprise: All versions below 9.3.2, 9.2.4, and 9.1.7
  • Splunk Secure Gateway (Splunk Cloud Platform): All versions below 3.2.461 and 3.7.13

The severity of this vulnerability is rated as critical, with a CVSSv3.1 score of 8.8.

Actions Taken by Splunk

Splunk has released patches to address this issue and strongly recommends users update their systems:

  • Splunk Enterprise: Versions 9.3.2, 9.2.4, 9.1.7, or higher
  • Splunk Secure Gateway (Splunk Cloud Platform): All affected cases on the Splunk Cloud Platform are being actively monitored and patched.

Temporary Measures

If updating is not immediately possible, users can implement temporary measures:

  • Disable or remove the Splunk Secure Gateway app if the functionalities of Splunk Mobile, Spacebridge, or Mission Control are not in use.
  • However, it’s important to note that disabling the app will render these functionalities unavailable.

Risks and Threats

Splunk is widely used for log management, Security Information and Event Management (SIEM), and related enterprise tasks. This vulnerability could pose risks to numerous organizations across various industries. Potential impacts of exploiting the vulnerability include:

  • Remote code execution
  • Unauthorized access to sensitive data
  • Full control of the system
  • Additional attacks within the network

Recommendations

Organizations using Splunk Enterprise or Splunk Cloud Platform are urged to immediately review their systems and apply the necessary updates. The high severity of this vulnerability (8.8 score) highlights the critical importance of taking action.

Additionally, the following best security practices should be observed:

  • Regularly update all software
  • Remove unused components
  • Continuously monitor and analyze system activity
  • Employ firewalls and other protective measures

In the face of increasingly complex cyber threats, regular software updates and proactive security management remain essential defense mechanisms.

Skip to content