June 16, 2024

Multiple Splunk Enterprise Flaws-Attackers Execute Arbitrary Code

Splunk Enterprise has multiple vulnerabilities that can lead to Cross-site Scripting (XSS), Denial of Service (DoS), Remote code execution, Privilege Escalation, and Path Traversal. The severities of these vulnerabilities range between 6.3 (Medium) to 8.8 (High). 

Splunk has addressed these vulnerabilities and has released security advisories for patching them.

CVE-2023-40592: Reflected Cross-site Scripting (XSS)

An attacker can exploit this vulnerability by sending a crafted web request on the “/app/search/table” endpoint leading to the execution of arbitrary commands on the Splunk Platform. This vulnerability exists due to improper input validation. The CVSS score for this vulnerability is given as 8.4 (High). 

CVE-2023-40593: Denial of Service (DoS)

A threat actor can exploit this vulnerability by sending a malformed SAML (Security Assertion Markup Language) request to the /saml/acs REST endpoint, which can cause a Denial of Service (DoS). 

This vulnerability exists due to the fact that the SAML XML parser does not fail the signature validation for the malformed URI. The CVSS score for this vulnerability is given as 6.3 (Medium).

CVE-2023-40594: Denial of Service (DoS

The printf function has improper expression validation in combination with commands like fieldformat. An attacker can exploit this vulnerability to perform a Denial of Service (DoS). The CVSS score for this vulnerability has been given as 6.5 (Medium).

CVE-2023-40595: Remote Code Execution

A threat actor can execute arbitrary code on the Splunk Enterprise platform by sending a specially crafted query that can serialize untrusted data. The CVSS score for this vulnerability is given as 8.8 (High).

CVE-2023-40596: Splunk Enterprise on Windows Privilege Escalation

This vulnerability arises due to an insecure path for the OPENSSLDIR build definition. Splunk Installation creates DLL files and the build system specifies internal build definition. If no build definition is provided, the build system uses the local directory when building the DLL files.

OPENSSLDIR build definition is not provided at build time, resulting in its insecure path getting encoded into the affected DLL files. A threat actor can exploit this to create a directory structure on the Splunk Enterprise instance, thereby installing malicious code that can escalate privileges. The CVSS score for this vulnerability is given as 7.0 (High).

CVE-2023-40597: Absolute Path Traversal

An attacker with write access to the drive on Splunk Enterprise instances can exploit this vulnerability by using the runshellscript.py script. This script has insufficient user validation that lets attackers run a script on the root directory of another disk on the machine.

This can be used to perform absolute path traversal to execute arbitrary code on a separate disk. The CVSS score for this vulnerability has been given as 7.8 (High).

Affected Products and Fixed versions

Vulnerabilities CVE Product Version Component Affected Version Fix Version
Reflected Cross-site Scripting (XSS) CVE-2023-40592 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12
Splunk Enterprise 9 Splunk Web 9.0.0 to 9.0.5 9.0.6
Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1
Splunk Cloud Splunk Web 9.0.2305.100 and below 9.0.2305.200
Denial of Service (DoS) CVE-2023-40593 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12
Splunk Enterprise 9 Splunk Web 9.0.0 to 9.0.5 9.0.6
Splunk Cloud Splunk Web 9.0.2305.100 and below 9.0.2305.200
Denial of Service (DoS) CVE-2023-40594 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12
Splunk Enterprise 9 Splunk Web 9.0.0 to 9.0.5 9.0.6
Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1
Splunk Cloud Splunk Web 9.0.2305.100 and below 9.0.2305.200
Remote Code Execution CVE-2023-40595 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12
Splunk Enterprise 9 Splunk Web 9.0.0 to 9.0.5 9.0.6
Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1
Splunk Cloud Splunk Web 9.0.2305.100 and below 9.0.2305.200
Windows Privilege Escalation CVE-2023-40596 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12
Splunk Enterprise 9 Splunk Web 9.0.0 to 9.0.5 9.0.6
Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1
Absolute Path Traversal CVE-2023-40597 Splunk Enterprise 8.2 Splunk Web 8.2.0 to 8.2.11 8.2.12
Splunk Enterprise 9 Splunk Web 9.0.0 to 9.0.5 9.0.6
Splunk Enterprise 9.1 Splunk Web 9.1.0 9.1.1
Splunk Cloud Splunk Web 9.0.2305.100 and below 9.0.2305.200

As per the Splunk Security Advisories, users of these products are recommended to upgrade to the latest version to fix these vulnerabilities.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *