Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root user
Advisory ID: SP-CAAAP3M
CVE ID: -
Published: 2017-11-27
Last Update: 2017-11-27
CVSSv3.1 Score: -, High
CVSSv3.1 Vector: -
CWE: -
Bug ID: -
Description
Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root user
- Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)
At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).
Affected Products and Components
Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)
Affected Components
Splunk Enterprise, Splunk Light, Splunk Universal Forwarder.
Mitigation and Upgrades
In order to prevent escalation, Splunk recommends not to execute Splunk startup / run control scripts as the root user, where able.
For further details, please follow the updated “Enable boot-start as a non-root user” documentation in the Splunk Admin Manual as are relevant to your environment.
Locations of Affected Files
- Redhat Linux - /etc/rc.d/init.d/splunk
- HPUX - /etc/rc.config.d/splunk
- AIX - Not impacted as boot-start passes user path to mksys command
- Solaris /etc/init.d/splunk
Vulnerability Descriptions and Ratings
Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)
Description
Specific configurations that have Splunk Enterprise, Splunk Light, or a Splunk Universal Forwarder running as non-root that match all the following characteristics
- Splunk Enterprise, Splunk Light, or the Universal Forwarder are running as non-root user.
- $SPLUNK_HOME and $SPLUNK_HOME/etc both are owned by the running splunk user.
- Satisfied one of the following conditions
a. A Splunk init script created via $SPLUNK_HOME/bin/splunk enable boot-start –useron Splunk 6.1.x or later. b. A line with SPLUNK_OS_USER= exists in $SPLUNK_HOME/etc/splunk-launch.conf
The above specific configurations of Splunk Enterprise, Splunk Light and Universal Forwarders, are vulnerable to the Splunk Administrator being able to induce code execution as root.
Credits
Splunk would like to thank Hank Leininger (KoreLogic) for reporting this issue.
CVSS Severity (version 2.0)
CVSS Base Score 8.5
CVSS Impact Subscore 10.0
CVSS Exploitability Subscore 6.8
Overall CVSS Score 8.5
Document History
- 2017-Oct-27: Rev 1. Initial Release