cbcvebase.
CVE-2011-4644
published 2012-01-03

CVE-2011-4644: Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
7.83%
93.9th percentile
Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not support authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that leverages the ability to create crafted data sources, or (2) execute management commands via an HTTP request.

Affected

65 ranges· showing 25
VendorProductVersion rangeFixed in
splunksplunk<= 4.2.5
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk
splunksplunk

Detection & IOCsextracted from sources · hover to see the quote

port8000
port8089
url/services/auth/login
url/en-GB/account/login
url/services/server/info/server-info
url/services/authentication/httpauth-tokens
url/servicesNS/-/launcher/authentication/users
url/en-US/manager/launcher/server/settings/settings?action=edit
path/services/properties/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fopt%2fsplunk%2fetc%2fsplunk-launch/default/SPLUNK_HOME
commandsearch index=_internal source=*splunkd.log |mappy x=eval("sys.modules['os'].system(base64.b64decode('%s'))")
  • Detect directory traversal attempts against Splunk's /services/properties/ endpoint using URL-encoded path traversal sequences (..%2f) targeting sensitive files such as splunk-launch
  • Detect Splunk search queries containing 'mappy' with embedded os.system or base64.b64decode calls, indicative of the RCE payload used in this exploit
  • Alert on unauthenticated POST requests to /services/auth/login that receive a response containing 'Remote login disabled because you are using a free license', indicating a Free license Splunk instance exploitable without credentials
  • Monitor for POST requests to /servicesNS/-/launcher/authentication/users on Splunk port 8089, which indicates an attempt to create a new admin user via the management API
  • Detect access to /services/authentication/httpauth-tokens on Splunk's splunkd port (8089), which is used by the exploit to verify admin-level access
  • ·The exploit targets Splunk 4.2.5 and earlier. The splunkd management API listens on port 8089 (HTTPS by default) and the web interface on port 8000; both are targeted.
  • ·A proxy can be configured in the exploit script to route traffic through an intermediary, which may be used to evade network-level detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.