Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf and insert Trojan horse programs into $SPLUNK_HOME/bin, because the non-root setup instructions state that chown should be run across all of $SPLUNK_HOME to give non-root access.
Splunk is prone to multiple local privilege escalation vulnerabilities. An attacker can exploit these issues to to execute arbitrary code with root privileges.
Updates are available. Please see the references or vendor advisory for more information.
Currently, we are not aware of any working exploits.