CVE-2024-45731: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2024-45731 is a high-severity vulnerability affecting Splunk Enterprise for Windows versions below 9.3.1, 9.2.3, and 9.1.6. The vulnerability allows a low-privileged user without 'admin' or 'power' Splunk roles to write files to the Windows system root directory when Splunk Enterprise is installed on a separate drive. This vulnerability was disclosed on October 14, 2024, and received a CVSS v3.1 score of 8.0 (Splunk Advisory, NIST NVD).

The vulnerability is classified as a path traversal issue (CWE-23) that specifically impacts Windows installations where Splunk Enterprise is installed on a separate disk. The vulnerability allows writing to the Windows system root directory, which typically defaults to the Windows System32 folder. The attack vector is network-accessible (AV:N) with low privilege requirements (PR:L) and requires user interaction (UI:R). The CVSS v3.1 base score of 8.0 HIGH reflects the potential impact, with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H (NIST NVD, SecurityWeek).

If exploited, this vulnerability could allow an attacker to write a malicious DLL file to the Windows system root directory, which could lead to remote code execution when loaded. The potential impact includes complete system compromise through the execution of arbitrary code with elevated privileges (SecurityWeek, Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.3.1, 9.2.3, or 9.1.6 or higher. For systems that cannot be immediately updated, organizations should ensure that Splunk Enterprise is not installed on a separate disk, as this configuration is not vulnerable to this specific attack. Splunk has also released detection mechanisms to identify potential exploitation attempts (Splunk Advisory, SecurityWeek).