CVE-2024-36985: Splunk Enterprise RCE via File Upload - Patch Guide

Splunk has released security updates to address a high-severity CVE identified as CVE-2024-36985. This vulnerability allows an authenticated user with low-level permissions to perform RCE on the underlying Windows operating system. According to SecurityWeek, the flaw resides in the way Splunk Enterprise handles file uploads to temporary directories, which can be manipulated to facilitate arbitrary code execution.

Technical Analysis of CVE-2024-36985

The vulnerability is specific to Splunk Enterprise deployments running on Windows. The core issue involves a failure to properly sanitize user-supplied input when handling file uploads to a temporary directory. While Splunk typically restricts high-impact actions to administrative accounts, this specific TTP allows a user with the ‘user’ or ‘power’ role to bypass standard restrictions.

In a typical exploitation scenario, the attacker identifies an endpoint that accepts file uploads for processing. By leveraging path traversal or similar manipulation techniques within the upload request, the attacker can place a malicious script or executable into a directory where the Splunk service has execution permissions. Because the Splunk service often runs with high system privileges, successful execution results in Privilege Escalation, providing the attacker with full control over the host environment. This can serve as a beachhead for Lateral Movement across the corporate network.

Splunk Enterprise for Windows Vulnerability Mitigation

This flaw is particularly dangerous because it does not require administrative access. In many organizations, the ‘user’ role is widely distributed, significantly increasing the internal attack surface. The CVSS score of 8.8 reflects the high impact on confidentiality, integrity, and availability, despite the requirement for authentication. Security teams should prioritize the Splunk Enterprise 9.1.5 security update or the equivalent 9.2.2 or 9.0.10 patches, as these versions introduce stricter validation checks for temporary file handling on Windows environments.

How to Detect CVE-2024-36985 Exploit Attempts

Defenders should monitor their SIEM and SOC dashboards for unusual file creation events in Splunk’s temporary directories. Specifically, watch for script files (e.g., .ps1, .bat, .cmd) or executables being written to subdirectories within the Splunk installation path by the splunkd.exe process.

Furthermore, audit logs should be reviewed for anomalous activities by low-privileged users, particularly those involving the upload of large or unrecognized binary blobs. Integrating EDR telemetry can provide additional visibility by flagging sub-processes spawned by Splunk that deviate from the expected baseline behavior. Organizations should map these detection strategies to the MITRE ATT&CK framework, specifically focusing on User Execution (T1204) and Exploitation for Privilege Escalation (T1068).

Recommendations for Defenders

To effectively secure the environment, the Runtime Rebel intelligence team recommends the following actions:

• Immediate Patching: Update Splunk Enterprise to versions 9.2.2, 9.1.5, 9.0.10, or higher. This is the only definitive way to resolve the underlying code execution flaw.
• Role Review: Audit the list of users assigned to the ‘user’ and ‘power’ roles. Apply the principle of least privilege to ensure only necessary personnel have upload capabilities.
• Isolate Windows Instances: If immediate patching is not feasible, consider placing Windows-based Splunk instances behind a restrictive firewall or VPN to limit the potential exposure of the authenticated attack surface.
• Monitor for IoCs: Watch for IoC patterns involving unusual shell executions or network connections originating from the Splunk service account.