Summary: A critical vulnerability (CVE-2024-53247) in the Splunk Secure Gateway app could allow low-privileged users to execute arbitrary code on affected systems, posing significant security risks. This vulnerability affects multiple versions of Splunk Enterprise and the Splunk Secure Gateway app, necessitating immediate action from users.
Threat Actor: Unknown | unknown
Victim: Splunk Users | Splunk Users
Key Point :
- The vulnerability is due to unsafe deserialization of data using the jsonpickle Python library.
- Exploitation could lead to remote code execution, compromising sensitive data and system control.
- Splunk has released patches; users should upgrade to the latest versions to mitigate risks.
- If immediate patching is not feasible, disabling the Splunk Secure Gateway app is a temporary solution, but it will affect other dependent applications.
A critical vulnerability has been discovered in the Splunk Secure Gateway app that could allow a low-privileged user to execute arbitrary code on vulnerable systems. The vulnerability, identified as CVE-2024-53247 and assigned a CVSS score of 8.8, affects Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, as well as versions below 3.2.461 and 3.7.13 of the Splunk Secure Gateway app on the Splunk Cloud Platform.
Details:
The vulnerability stems from an unsafe deserialization of data due to an insecure usage of the jsonpickle Python library. This allows an attacker to inject malicious code that can be executed remotely. Successful exploitation could grant the attacker complete control over the affected system.
Affected Products:
- Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7
- Splunk Secure Gateway app versions below 3.2.461 and 3.7.13 on Splunk Cloud Platform
Impact:
Successful exploitation of this vulnerability could lead to remote code execution, enabling attackers to:
- Compromise sensitive data
- Install malware
- Take control of the system
- Disrupt critical services
Solution:
Splunk has released patches to address this vulnerability. Users are strongly advised to upgrade to the latest versions of Splunk Enterprise and the Splunk Secure Gateway app:
- Splunk Enterprise: Upgrade to versions 9.3.2, 9.2.4, or 9.1.7, or higher.
- Splunk Secure Gateway app: Upgrade to versions 3.2.461 or 3.7.13, or higher.
Mitigation:
If immediate patching is not possible, Splunk recommends disabling the Splunk Secure Gateway app as a temporary mitigation. However, it is crucial to note that disabling the app will also disable Splunk Mobile, Spacebridge, and Mission Control, as these apps rely on the Splunk Secure Gateway app’s functionality.