Splunk Enterprise 7.0.0.1/7.0.1, 6.6.3.2/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilitiesSplunk Enterprise and Splunk Light address multiple vulnerabilities

Description

Splunk Enterprise 7.0.0.1/7.0.1, 6.6.3.2/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilities.

1- Multiple SAML implementation vulnerabilities in Splunk Enterprise (CVE-2017-17067)

Please note, as of 2017-Nov-14, all affected Splunk Cloud customers have been updated.

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).

Affected Products and Components

Multiple SAML implementation vulnerabilities in Splunk Enterprise (CVE-2017-17067)

Affected Product Versions

Splunk Enterprise versions 7.0.x before 7.0.0.1/7.0.1, 6.6.x before 6.6.3.2/6.6.4, 6.5.x before 6.5.6, 6.4.x before 6.4.9, 6.3.x before 6.3.12. All Splunk cloud instances using SAML have been updated to 6.6.3.2.

Affected Components

All Splunk Enterprise components running Splunk Web with SAML authentication enabled.

Unaffected Components

Universal Forwarders and Splunk Enterprise instances where Splunk Web is disabled or not using SAML authentication.

Mitigation and Upgrades

1. Check if you are running one of the following Splunk Enterprise versions
   • 7.0.x before 7.0.0.1/7.0.1
   • 6.6.x before 6.6.3.2/6.6.4
   • 6.5.x before 6.5.6
   • 6.4.x before 6.4.9
   • 6.3.x before 6.3.12

   $SPLUNK_HOME/bin/splunk version

2. Check if you have SAML login enabled.

Linux:
$SPLUNK_HOME/bin/splunk btool authentication list | grep authType

Windows:
$SPLUNK_HOME\bin\splunk btool authentication list | find “authType”

If ‘authType’ contains the word ‘SAML’, then this indicates a vulnerable configuration of Splunk and should be patched immediately.

For more information, see the SAML Troubleshooting documentation.

To mitigate this issue, Splunk recommends upgrading to one of the latest releases and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.

Vulnerability Descriptions and Ratings

Multiple SAML implementation vulnerabilities in Splunk Enterprise (CVE-2017-17067)

Description

Splunk Enterprise versions 7.0.x before 7.0.0.1/7.0.1, 6.6.x before 6.6.3.2/6.6.4, 6.5.x before 6.5.6, 6.4.x before 6.4.9, 6.3.x before 6.3.12 are vulnerable to multiple SAML vulnerabilities. The most severe of these vulnerabilities can permit an unauthenticated attacker access to a SAML-enabled Splunk Web or permit an authenticated user to impersonate another user or role.

Credits

Splunk would like to thank Jacob Honoroff for reporting a portion of this issue.

CVSS Severity (version 2.0):

CVSS Base Score 10.0
CVSS Impact Subscore 10.0
CVSS Exploitability Subscore 10.0
Overall CVSS Score 10.0

Document History

• 2017-Nov-14: Rev 1. Initial Release
• 2017-Nov-15: Rev 2. Alteration of 6.6.3.2 to 6.6.4 and corrected typos
• 2017-Nov-17: Rev 3. Updated download instructions
• 2017-Nov-28: Rev 4. Updated to clarify what versions are patched in Cloud (6.6.3.2)
• 2017-Nov-30: Rev 5. Alteration of 7.0.0.1 to 7.0.1 and Updated CVE