Unauthenticated Log Injection in Splunk Enterprise
Advisory ID: SVD-2023-0606
CVE ID: CVE-2023-32712
Published: 2023-06-01
Last Update: 2023-10-18
CVSSv3.1 Score: 8.6, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-117
Bug ID: SPL-235259
Description
In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit.
Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in the following situations:
- The forwarders have been configured to have management services active
- The active management services are exposed and accessible from the network
By default, all Universal Forwarder 9.0 and 9.1 versions bind management services to the local machine (localhost) and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 and higher use Unix Domain Sockets (UDS) for communication, further reducing the potential attack surface.
The vulnerability does not directly affect Splunk Enterprise or Splunk Universal Forwarder. The indirect impact on the Splunk Enterprise instance and Universal Forwards can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine.
Solution
For Splunk Enterprise, upgrade to version 8.2.11.2, 9.0.5.1, or 9.1.0.2.
For Splunk Universal Forwarder, upgrade to version 8.2.12, 9.0.6, or 9.1.1.
This vulnerability does not affect Splunk Cloud Platform instances directly. Where possible, Splunk Cloud Platform customers with on-premises Splunk infrastructure, including universal and heavy forwarders, deployment servers, and license servers, must upgrade that infrastructure to reduce their attack surface.
Upgrading or mitigating the issue prevents future log injections. However, logs that were created before performing the upgrades or mitigations can still pose a risk. Where applicable, remove Splunk Enterprise log files in the $SPLUNK_HOME/var/log/splunk/ directory.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.2 | - | 8.2.0 to 8.2.11.1 | 8.2.11.2 |
| Splunk Enterprise | 9.0 | - | 9.0.0 to 9.0.5 | 9.0.5.1 |
| Splunk Enterprise | 9.1 | - | 9.1.0 to 9.1.0.1 | 9.1.0.2 |
| Universal Forwarder | 8.2 | REST API | 8.2.11 and below | 8.2.12 |
| Universal Forwarder | 9.0 | REST API | 9.0.0 to 9.0.5 | 9.0.6 |
| Universal Forwarder | 9.1 | REST API | 9.1.0 to 9.1.0.1 | 9.1.1 |
Mitigations and Workarounds
As a partial mitigation, users can protect themselves from log injections via ANSI escape characters in general, by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes.
For Universal Forwarder versions 8.2.x, configure management services to only accept inbound connections from the local machine (localhost).
For Universal Forwarder versions 9.0.x and 9.1.x, confirm that management services only accept inbound connections from localhost.
To deactivate remote management services on Universal Forwarder:
- In the server.conf configuration file on UF, under the [httpServer] stanza, give the
disableDefaultPortsetting a value oftrue, or, under the [general] stanza, give theallowRemoteLoginsetting a value ofnever.
See Configure universal forwarder management security in Securing Splunk Enterprise for more information on deactivating remote management services. For improved overall security on UF versions 9.1.x and higher, where applicable, consider configuring the UF to use UDS for communication. In the server.conf configuration file, under the [httpServer] stanza, give the mgmtMode setting a value of UDS (or default).
Detections
This detection search provides information on possible ANSI Log injection on Splunk Enterprise.
Severity
Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
Attack Vector:
The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk Enterprise instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following:
the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”
The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document.
Attack Complexity:
The vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability.
Privileges Required:
The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk Enterprise instance.
User Interaction:
The vulnerability requires users to open or read the malicious document, file, or log for successful execution.
Scope:
The vulnerability does not affect Splunk Enterprise directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope.
Confidentiality/Integrity/Availability:
The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk Enterprise might vary significantly depending on how the user configured permissions in their terminal application.
Acknowledgments
STÖK / Fredrik Alexandersson
Changelog:
2023-11-16: Updated Mitigation section. allowRemoteLogin is a server.conf setting, not web.conf.
2023-08-30: Expanded the scope of affected products to include Splunk Universal Forwarder
2023-07-31: Updated and expanded the Description, Solutions, Product Status, Mitigations, Detections, and Severity section to include two related, novel vulnerabilities and to clarify technical inaccuracies. Updated the Product Fix versions from “9.1.0.1, 9.0.5, 8.2.11” to “9.1.0.2, 9.0.5.1, 8.2.11.1” to reflect the fixes for the newly remedied vulnerabilities.