Critical Splunk Vulnerability Enables Remote Code Execution

Critical Splunk Vulnerability Enables Remote Code Execution

Posted on By CWS

A newly discovered vulnerability in Splunk Enterprise has been identified, allowing attackers to execute remote code without authentication. This flaw, associated with the PostgreSQL sidecar service, exposes databases to significant risk.

Details of the Vulnerability

Designated as CVE-2026-20253, this vulnerability holds a CVSS score of 9.8, indicating its critical nature. It affects versions of Splunk Enterprise from version 10 onwards, primarily due to a misconfiguration in the PostgreSQL Sidecar Service.

While the service might not be active in on-premise installations, it is automatically enabled in cloud deployments, particularly those on AWS. This makes these setups more vulnerable to potential attacks.

Exploitation Mechanics

watchTowr Labs reports that the service, though intended to listen only on localhost, can be accessed externally via Splunk’s main web interface. Attackers exploit this by sending specific HTTP requests to internal API endpoints.

The vulnerability stems from inadequate authentication measures, permitting attackers to perform unauthorized database operations. By exploiting this flaw, attackers can manipulate database connection parameters, redirecting Splunk to interact with malicious databases.

Impact and Recommendations

Researchers have demonstrated that attackers can gain arbitrary file write access. This is achieved through crafted SQL payloads that utilize PostgreSQL’s large object export functions, facilitating file manipulations on the Splunk system.

The implications of this vulnerability are severe, as they allow for the execution of system commands, potentially compromising entire systems. Splunk has issued an advisory recommending immediate updates to affected versions.

Enterprises utilizing Splunk on AWS should prioritize these updates and monitor internal API access. Implementing access restrictions and reviewing file integrity of critical components is also advised.

Conclusion

This vulnerability underscores the dangers of internal services being exposed through proxy mechanisms, particularly when authentication is not rigorously enforced. The findings highlight the necessity for organizations to regularly update and secure their systems to prevent such exploits.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

FortiVoice 0-day Vulnerability Exploited in the Wild to Execute Arbitrary Code FortiVoice 0-day Vulnerability Exploited in the Wild to Execute Arbitrary Code Cyber Security News
First-ever AI-powered ‘MalTerminal’ Malware uses OpenAI GPT-4 to Generate Ransomware Code First-ever AI-powered ‘MalTerminal’ Malware uses OpenAI GPT-4 to Generate Ransomware Code Cyber Security News
Critical Vulnerability in etcd Allows Unauthorized API Access Critical Vulnerability in etcd Allows Unauthorized API Access Cyber Security News
Ransomware Hits 65% of Financial Firms in 2024 Ransomware Hits 65% of Financial Firms in 2024 Cyber Security News
Rising Cyber Threats Challenge Defense Sector Security Rising Cyber Threats Challenge Defense Sector Security Cyber Security News
Beware of Weaponized VS Code Extension Named ClawdBot Agent that Deploys ScreenConnect RAT Beware of Weaponized VS Code Extension Named ClawdBot Agent that Deploys ScreenConnect RAT Cyber Security News