CVE-2024-23675 Overview
In Splunk Enterprise versions below 9.0.8 and 9.1.3, the Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). This authorization bypass vulnerability can potentially result in the unauthorized deletion of KV Store collections, impacting data integrity across affected Splunk deployments.
Critical Impact
Authenticated users with low privileges can exploit improper permission handling in the REST API to delete KV Store collections, potentially causing significant data loss and operational disruption.
Affected Products
- Splunk Enterprise versions below 9.0.8
- Splunk Enterprise versions below 9.1.3
- Splunk Cloud (specific versions as noted in vendor advisory)
Discovery Timeline
- 2024-01-22 - CVE-2024-23675 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23675
Vulnerability Analysis
This vulnerability represents an authorization bypass weakness classified under CWE-284 (Improper Access Control) and CWE-863 (Incorrect Authorization). The flaw exists within the Splunk KV Store component, which is designed to store and retrieve application data through a REST API interface.
The core issue lies in how the KV Store validates user permissions when processing REST API requests. Instead of properly enforcing granular access controls, the system fails to adequately verify whether a user has the appropriate privileges to perform destructive operations on KV Store collections. This allows authenticated users with minimal privileges to execute unauthorized deletion operations.
The vulnerability requires network access and low-privilege authentication, meaning an attacker must have valid credentials to the Splunk environment but does not need administrative access to exploit this flaw. The impact is primarily on data integrity, as successful exploitation enables unauthorized deletion of data collections without affecting confidentiality or system availability directly.
Root Cause
The root cause of CVE-2024-23675 is improper authorization validation within the Splunk KV Store REST API endpoints. When processing requests to manage KV Store collections, the application fails to properly check whether the authenticated user possesses sufficient permissions to perform delete operations. This represents a broken access control pattern where the authorization layer does not adequately enforce role-based restrictions on sensitive API endpoints.
Attack Vector
The attack is executed over the network through the Splunk REST API. An attacker with low-privilege credentials can craft API requests targeting KV Store collection endpoints. Due to the improper permission handling, these requests are processed without proper authorization checks, allowing the attacker to delete collections they should not have access to modify.
The attack requires:
- Valid authentication credentials to the Splunk environment
- Network access to the Splunk REST API
- Knowledge of target KV Store collection names
The vulnerability involves sending REST API requests to the KV Store management endpoints. Due to improper permission validation, delete operations are processed without verifying the user's authorization level. For detailed technical information about the attack methodology, refer to the Splunk Security Advisory SVD-2024-0105.
Detection Methods for CVE-2024-23675
Indicators of Compromise
- Unexpected deletion of KV Store collections, particularly by users who should not have administrative access
- Audit log entries showing REST API delete operations against KV Store endpoints from non-privileged accounts
- Reports of missing application data that was previously stored in KV Store collections
- Unusual patterns of API requests targeting /servicesNS/ or /services/ KV Store endpoints
Detection Strategies
- Enable and review Splunk internal logs for REST API access patterns targeting KV Store endpoints
- Implement monitoring rules using the Splunk Research detection content provided by Splunk
- Configure alerts for deletion operations on KV Store collections performed by non-administrative users
- Audit user permissions regularly to identify accounts with unexpected access to KV Store management functions
Monitoring Recommendations
- Deploy SIEM rules to correlate authentication events with subsequent KV Store API operations
- Establish baseline metrics for normal KV Store management activity and alert on deviations
- Monitor for bulk deletion patterns or sequential delete requests that may indicate exploitation attempts
- Review access logs for authentication from unexpected source IP addresses followed by KV Store operations
How to Mitigate CVE-2024-23675
Immediate Actions Required
- Upgrade Splunk Enterprise to version 9.0.8 or later for the 9.0.x branch
- Upgrade Splunk Enterprise to version 9.1.3 or later for the 9.1.x branch
- For Splunk Cloud customers, verify with Splunk support that your environment has been patched
- Audit current KV Store collection permissions and verify access controls are correctly configured
Patch Information
Splunk has released security updates that address this vulnerability. Organizations should prioritize patching based on their deployment type:
- Splunk Enterprise 9.0.x: Upgrade to version 9.0.8 or later
- Splunk Enterprise 9.1.x: Upgrade to version 9.1.3 or later
- Splunk Cloud: Contact Splunk support or verify patch status through the Splunk Cloud administration interface
Detailed patch information is available in the Splunk Security Advisory SVD-2024-0105.
Workarounds
- Implement network segmentation to restrict access to the Splunk REST API to authorized networks and users only
- Review and tighten role-based access controls, ensuring users have minimum required permissions
- Enable comprehensive audit logging for all REST API operations to facilitate detection of exploitation attempts
- Consider implementing additional authentication controls such as certificate-based authentication for API access
# Configuration example
# Review current KV Store collection permissions
splunk btool authorize list --debug | grep -i kvstore
# Enable detailed audit logging for REST operations
# Add to server.conf
[httpServer]
logRESTApiCalls = true
# Verify current Splunk version
splunk version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
