Monday, July 15, 2024
EHA

Multiple Splunk Enterprise Flaws Let Attackers Execute Arbitrary Code

Splunk Enterprise has multiple vulnerabilities that can lead to Cross-site Scripting (XSS), Denial of Service (DoS), Remote code execution, Privilege Escalation, and Path Traversal. The severities of these vulnerabilities range between 6.3 (Medium) to 8.8 (High). 

Splunk has addressed these vulnerabilities and has released security advisories for patching them.

CVE-2023-40592: Reflected Cross-site Scripting (XSS)

An attacker can exploit this vulnerability by sending a crafted web request on the “/app/search/table” endpoint leading to the execution of arbitrary commands on the Splunk Platform. This vulnerability exists due to improper input validation. The CVSS score for this vulnerability is given as 8.4 (High). 

CVE-2023-40593: Denial of Service (DoS)

A threat actor can exploit this vulnerability by sending a malformed SAML (Security Assertion Markup Language) request to the /saml/acs REST endpoint, which can cause a Denial of Service (DoS). 

This vulnerability exists due to the fact that the SAML XML parser does not fail the signature validation for the malformed URI. The CVSS score for this vulnerability is given as 6.3 (Medium).

CVE-2023-40594: Denial of Service (DoS

The printf function has improper expression validation in combination with commands like fieldformat. An attacker can exploit this vulnerability to perform a Denial of Service (DoS). The CVSS score for this vulnerability has been given as 6.5 (Medium).

CVE-2023-40595: Remote Code Execution

A threat actor can execute arbitrary code on the Splunk Enterprise platform by sending a specially crafted query that can serialize untrusted data. The CVSS score for this vulnerability is given as 8.8 (High).

CVE-2023-40596: Splunk Enterprise on Windows Privilege Escalation

This vulnerability arises due to an insecure path for the OPENSSLDIR build definition. Splunk Installation creates DLL files and the build system specifies internal build definition. If no build definition is provided, the build system uses the local directory when building the DLL files.

OPENSSLDIR build definition is not provided at build time, resulting in its insecure path getting encoded into the affected DLL files. A threat actor can exploit this to create a directory structure on the Splunk Enterprise instance, thereby installing malicious code that can escalate privileges. The CVSS score for this vulnerability is given as 7.0 (High).

CVE-2023-40597: Absolute Path Traversal

An attacker with write access to the drive on Splunk Enterprise instances can exploit this vulnerability by using the runshellscript.py script. This script has insufficient user validation that lets attackers run a script on the root directory of another disk on the machine.

This can be used to perform absolute path traversal to execute arbitrary code on a separate disk. The CVSS score for this vulnerability has been given as 7.8 (High).

Affected Products and Fixed versions

VulnerabilitiesCVEProductVersionComponentAffected VersionFix Version
Reflected Cross-site Scripting (XSS)CVE-2023-40592Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk CloudSplunk Web9.0.2305.100 and below9.0.2305.200
Denial of Service (DoS)CVE-2023-40593Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9Splunk Web9.0.0 to 9.0.59.0.6
Splunk CloudSplunk Web9.0.2305.100 and below9.0.2305.200
Denial of Service (DoS)CVE-2023-40594Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk CloudSplunk Web9.0.2305.100 and below9.0.2305.200
Remote Code ExecutionCVE-2023-40595Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk CloudSplunk Web9.0.2305.100 and below9.0.2305.200
Windows Privilege EscalationCVE-2023-40596Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Absolute Path TraversalCVE-2023-40597Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk CloudSplunk Web9.0.2305.100 and below9.0.2305.200

As per the Splunk Security Advisories, users of these products are recommended to upgrade to the latest version to fix these vulnerabilities.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles