=================================================================== CERT-Renater Note d'Information No. 2023/VULN278 _____________________________________________________________________ DATE : 31/08/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Splunk Enterprise versions prior to 8.2.12, 9.0.6, or 9.1.1, Splunk Cloud versions prior to 9.0.2305.200. ====================================================================https://advisory.splunk.com/advisories/SVD-2023-0804 https://advisory.splunk.com/advisories/SVD-2023-0806 https://advisory.splunk.com/advisories/SVD-2023-0807 https://advisory.splunk.com/advisories/SVD-2023-0805 https://advisory.splunk.com/advisories/SVD-2023-0803 https://advisory.splunk.com/advisories/SVD-2023-0802 https://advisory.splunk.com/advisories/SVD-2023-0801 _____________________________________________________________________ Remote Code Execution via Serialized Session Payload Advisory ID: SVD-2023-0804 CVE ID: CVE-2023-40595 Published: 2023-08-30 Last Update: 2023-08-30 CVSSv3.1 Score: 8.8, High CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE: CWE-502 Bug ID: PRODSECOPS-25334 Description In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code. The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload. Solution Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.5 9.0.6 Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1 Splunk Cloud - Splunk Web 9.0.2305.100 and below 9.0.2305.200 Mitigations and Workarounds If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web. Detections None Severity Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. Acknowledgments Danylo Dmytriiev (DDV_UA) _____________________________________________________________________ Absolute Path Traversal in Splunk Enterprise Using runshellscript.py Advisory ID: SVD-2023-0806 CVE ID: CVE-2023-40597 Published: 2023-08-30 Last Update: 2023-08-30 CVSSv3.1 Score: 7.8, High CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CWE: CWE-36 Bug ID: VULN-5304 Description In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. The runshellscript.py script does not perform adequate user validation. This lets an attacker use the runshellscript.py script to run a script in the root directory of another disk on the machine. The exploit requires the attacker to have write access to the drive on which they place the exploit script. The exploit is more accessible on Splunk Enterprise instances that run on Windows but is applicable to any operating system. Solution Upgrade Splunk Enterprise to 8.2.12, 9.0.6, or 9.1.1. Splunk is actively monitoring and patching Splunk Cloud Systems. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.5 9.0.6 Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1 Splunk Cloud - Splunk Web 9.0.2305.100 and below 9.0.2305.200 Mitigations and Workarounds No mitigations Detections None Severity Splunk rates this vulnerability a 7.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Acknowledgments Danylo Dmytriiev (DDV_UA) _____________________________________________________________________ Command Injection in Splunk Enterprise Using External Lookups Advisory ID: SVD-2023-0807 CVE ID: CVE-2023-40598 Published: 2023-08-30 Last Update: 2023-08-30 CVSSv3.1 Score: 8.5, High CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CWE: CWE-77 Bug ID: SPL-230071 Description In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance. The vulnerability revolves around the currently-deprecated runshellscript command that scripted alert actions use. This command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance. Solution Upgrade Splunk Enterprise to either 8.2.12, 9.0.6, or 9.1.1. Splunk is actively upgrading and monitoring Splunk Cloud deployments. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.5 9.0.6 Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1 Splunk Cloud - Splunk Web 9.0.2305.100 and below 9.0.2305.200 Mitigations and Workarounds If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web. Detections None Severity Splunk rates this vulnerability 8.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. Acknowledgments Danylo Dmytriiev (DDV_UA) _____________________________________________________________________ Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLL Advisory ID: SVD-2023-0805 CVE ID: CVE-2023-40596 Published: 2023-08-30 Last Update: 2023-08-30 CVSSv3.1 Score: 7.0, High CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CWE: CWE-665 Bug ID: VULN-4474 Description In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine. As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance. Solution Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. This vulnerability does not affect Splunk Cloud Platform. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.5 9.0.6 Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1 Mitigations and Workarounds Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review Harden Your Windows Installation. Detections None Severity Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational. Acknowledgments Will Dormann, Vul Labs _____________________________________________________________________ Denial of Service (DoS) via the ‘printf’ Search Function Advisory ID: SVD-2023-0803 CVE ID: CVE-2023-40594 Published: 2023-08-30 Last Update: 2023-08-30 CVSSv3.1 Score: 6.5, Medium CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CWE: CWE-400 Bug ID: SPL-235294 Description In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon. The printf function does not properly validate expressions in certain cases in combination with commands like fieldformat that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS. Solution Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.5 9.0.6 Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1 Splunk Cloud - Splunk Web 9.0.2305.100 and below 9.0.2305.200 Mitigations and Workarounds If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web. Detections None Severity Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Acknowledgments Danylo Dmytriiev (DDV_UA) ____________________________________________________________________ Denial of Service (DoS) in Splunk Enterprise Using a Malformed SAML Request Advisory ID: SVD-2023-0802 CVE ID: CVE-2023-40593 Published: 2023-08-30 Last Update: 2023-08-30 CVSSv3.1 Score: 6.3, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CWE: CWE-400 Bug ID: SPL-219455 Description In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language (SAML) request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon. The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang. Solution Upgrade Splunk Enterprise to versions 8.2.12 and 9.0.6. This vulnerability does not affect Splunk Enterprise versions 9.1.0 and higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.5 9.0.6 Splunk Cloud - Splunk Web 9.0.2305.100 and below 9.0.2305.200 Mitigations and Workarounds No mitigations Detections None Severity Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H. Acknowledgments Aaron Devaney (Dodekeract) ____________________________________________________________________ Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpoint Advisory ID: SVD-2023-0801 CVE ID: CVE-2023-40592 Published: 2023-08-30 Last Update: 2023-08-30 CVSSv3.1 Score: 8.4, High CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H CWE: CWE-79 Bug ID: VULN-5287 Description In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function. Solution Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Version Component Affected Version Fix Version Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12 Splunk Enterprise 9.0 Splunk Web 9.0.0 to 9.0.5 9.0.6 Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1 Splunk Cloud - Splunk Web 9.0.2305.100 and below 9.0.2305.200 Mitigations and Workarounds If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web. Detections None Severity Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H Acknowledgments Danylo Dmytriiev (DDV_UA) ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================