Splunk Internal IP and Port Enumeration Vulnerability via Distributed Search Peers
Vulnerability
A vulnerability exists in Splunk Enterprise versions prior to 10.0.1, as well as in versions 9.4.6, 9.3.8, and 9.2.10. Additionally, Splunk Cloud Platform versions prior to 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116 are affected. In these versions, users with the high privilege capability 'change_authentication' can enumerate internal IP addresses and network ports while adding new search peers to a Splunk search head in a distributed environment.
Impact
Exploitation of this vulnerability could lead to unauthorized enumeration of internal IP addresses and network ports, potentially facilitating further attacks or reconnaissance within the network.
Remediation
Users are advised to upgrade Splunk Enterprise to versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, or higher. For Splunk Cloud Platform instances, no action is required as Splunk is actively monitoring and patching these instances.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.