Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Multiple Vulnerabilities in Splunk Products
Image
Published : 06/06/2023
Reference:
Advisory #2023-66
Version:
1.0
Affected software:
Splunk App for Lookup File Editing versions 4.0.1
Splunk App for Stream versions 8.1.1
Splunk Cloud Platform 9.0.2303.100
Splunk Enterprise 9.0.5, 8.2.11 and 8.1.14
Type:
Multiple vulnerability types
CVE/CVSS:
CVE-2023-32706 (7.7 High)
CVE-2023-32707 (8.8 High)
CVE-2023-32708 (7.2 High)
CVE-2023-32709 (4.3 Medium)
CVE-2023-32710 (4.8 Medium)
CVE-2023-32711 (5.4 Medium)
CVE-2023-32712 (3.4 Low)
CVE-2023-32713 (7.8 High)
CVE-2023-32714 (8.1 High)
CVE-2023-32715 (4.7 Medium)
CVE-2023-32716 (6.5 Medium)
Sources
https://advisory.splunk.com/
https://nvd.nist.gov/vuln/detail/CVE-2023-32707
https://nvd.nist.gov/vuln/detail/CVE-2023-32714
https://nvd.nist.gov/vuln/detail/CVE-2023-32713
https://nvd.nist.gov/vuln/detail/CVE-2023-32706
https://nvd.nist.gov/vuln/detail/CVE-2023-32708
Risks
Splunk patched 12 vulnerabilities in their software products. The following 5 vulnerabilities have a high severity score:
- CVE-2023-32707: ‘edit_user’ Capability Privilege Escalation
(CWE-285: Improper Authorization) - CVE-2023-32714: Path Traversal in Splunk App for Lookup File Editing
(CWE-35: Path Traversal: '.../...//') - CVE-2023-32713: Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream
(CWE-269: Improper Privilege Management) - CVE-2023-32706: Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication
(CWE-611: Improper Restriction of XML External Entity Reference) - CVE-2023-32708: HTTP Response Splitting via the ‘rest’ SPL Command
(CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'))
Description
You can find a more detailed summary of the high severity CVE's below:
CVE-2023-32707: ‘edit_user’ Capability Privilege Escalation
A low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the ‘edit_user’ capability does not honor the ‘grantableRoles’ setting in the authorize.conf configuration file, which prevents this scenario from happening.
CVSS 3.1: 8.8
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products:
- Splunk Enterprise <9.0.5, <8.2.11 and <8.1.14
- Splunk Cloud Platform <9.0.2303.100
CVE-2023-32714: Path Traversal in Splunk App for Lookup File Editing
A low-privileged user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory.
CVSS 3.1: 8.1
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products:
- Splunk App for Lookup File Editing versions <4.0.1
CVE-2023-32713: Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream
A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.
CVSS 3.1: 8.1
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products:
- Splunk App for Stream versions <8.1.1
CVE-2023-32706: Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication
An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system.
CVSS 3.1: 7.7
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Affected products:
- Splunk Enterprise <9.0.5, <8.2.11 and <8.1.14
- Splunk Cloud Platform <9.0.2303.100
CVE-2023-32708: HTTP Response Splitting via the ‘rest’ SPL Command
A low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including viewing restricted content.
CVSS 3.1: 7.2
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products:
- Splunk Enterprise <9.0.5, <8.2.11 and <8.1.14
- Splunk Cloud Platform <9.0.2303.100
Recommended Actions
- Splunk Platform:
- Splunk Enterprise: upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.
- Splunk Cloud Platform: automatically updated and monitored by Splunk
- Splunk App for Lookup Editing:
- Upgrade to version 4.0.1 or higher.
- Splunk App for Stream:
- Upgrade to version 8.1.1 or higher.
References
https://advisory.splunk.com/advisories/SVD-2023-0601
https://advisory.splunk.com/advisories/SVD-2023-0602
https://advisory.splunk.com/advisories/SVD-2023-0603
https://advisory.splunk.com/advisories/SVD-2023-0604
https://advisory.splunk.com/advisories/SVD-2023-0605
https://advisory.splunk.com/advisories/SVD-2023-0606
https://advisory.splunk.com/advisories/SVD-2023-0607
https://advisory.splunk.com/advisories/SVD-2023-0608
https://advisory.splunk.com/advisories/SVD-2023-0609
https://advisory.splunk.com/advisories/SVD-2023-0610
https://advisory.splunk.com/advisories/SVD-2023-0611
https://advisory.splunk.com/advisories/SVD-2023-0612