Cross-Site Request Forgery in the ‘ssg/kvstore_client’ REST Endpoint in Splunk Enterprise

Description

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a cross-site request forgery in the Splunk Secure Gateway (SSG) app in the ‘kvstore_client’ REST endpoint lets a potential attacker update SSG App Key Value Store (KV store) collections using an HTTP GET request. SSG is a Splunk-built app that comes with Splunk Enterprise. The vulnerability affects instances with SSG and Splunk Web enabled.

Solution

For Splunk Enterprise, upgrade versions to 8.1.13, 8.2.10, 9.0.4, or higher.

For Splunk Cloud Platform, Splunk is actively patching the Splunk Secure Gateway app and monitoring the Splunk Cloud instances.

Product Status

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

Splunk Secure Gateway is a Splunk-built app that comes with Splunk Enterprise. If the Splunk instance does not use the SSG functionality, disable or delete the app. See Manage app and add-on objects for more information.

The SSG app is not available for download or direct update through Splunkbase.

Detections

• Splunk csrf in the ssg kvstore client endpoint

This hunting search provides information on REST method and post data that might reveal exploitation of this vulnerability.

Severity

Splunk rated the vulnerability as Medium, 5.4, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. The impact endpoint has limited functionality to edit minor configurations and disable minor functionality.

If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational. If the Splunk Enterprise instance disabled or removed the SSG, there is no impact and the severity is Informational.

Acknowledgments

Anton (therceman)