Splunk Secure Gateway App Vulnerability Allows Remote Code Execution

A critical vulnerability has been discovered in the Splunk Secure Gateway app that could allow a low-privileged user to execute arbitrary code on vulnerable systems. The vulnerability, identified as CVE-2024-53247 and assigned a CVSS score of 8.8, affects Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, as well as versions below 3.2.461 and 3.7.13 of the Splunk Secure Gateway app on the Splunk Cloud Platform.

Details:

The vulnerability stems from an unsafe deserialization of data due to an insecure usage of the jsonpickle Python library. This allows an attacker to inject malicious code that can be executed remotely. Successful exploitation could grant the attacker complete control over the affected system.

Affected Products:

• Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7
• Splunk Secure Gateway app versions below 3.2.461 and 3.7.13 on Splunk Cloud Platform

Impact:

Successful exploitation of this vulnerability could lead to remote code execution, enabling attackers to:

• Compromise sensitive data
• Install malware
• Take control of the system
• Disrupt critical services

Solution:

Splunk has released patches to address this vulnerability. Users are strongly advised to upgrade to the latest versions of Splunk Enterprise and the Splunk Secure Gateway app:

• Splunk Enterprise: Upgrade to versions 9.3.2, 9.2.4, or 9.1.7, or higher.
• Splunk Secure Gateway app: Upgrade to versions 3.2.461 or 3.7.13, or higher.

Mitigation:

If immediate patching is not possible, Splunk recommends disabling the Splunk Secure Gateway app as a temporary mitigation. However, it is crucial to note that disabling the app will also disable Splunk Mobile, Spacebridge, and Mission Control, as these apps rely on the Splunk Secure Gateway app’s functionality.

Related Posts: