Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Remote Code Execution In Splunk Enterprise And Splunk Secure Gateway App, Patch Immediately!
Image
Gepubliceerd : 13/12/2024
Reference:
Advisory #2024-293
Version:
1.0
Affected software:
Splunk Enterprise below 9.3.2, 9.2.4, and 9.1.7
Splunk Secure Gateway app on Splunk Cloud Platform below 3.7.13, 3.4.261
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2024-53247: CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
Splunk: https://advisory.splunk.com/advisories/SVD-2024-1205
Risks
Older versions of Splunk Enterprise and the Splunk Secure Gateway app have a critical vulnerability allowing attackers to execute arbitrary code remotely when they are logged-in as a low-level user.
Given the potential for remote code execution (RCE), this vulnerability poses a significant risk to the confidentiality, integrity, and availability (CIA triad) of Splunk servers and all the data stored.. Systems compromised through this vulnerability could lead to unauthorized data access or modification, or full control by malicious actors.
As Splunk is a security product and normally has data on your entire environment, access to this can have significant consequences.
Description
A Remote Code Execution vulnerability affects Splunk Enterprise (versions below 9.3.2, 9.2.4, and 9.1.7) and the Splunk Secure Gateway app (versions below 3.2.461 and 3.7.13). This flaw is due to unsafe deserialization caused by insecure use of the jsonpickle Python library, enabling low-privileged users to execute code remotely. Immediate upgrades to patched versions are strongly recommended.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://notif.safeonweb.be/
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.