Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream

Advisory ID: SVD-2023-0607

CVE ID: CVE-2023-32713

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 7.8, High

CWE: CWE-269

Bug ID: STREAM-5290

Description

A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.

Solution

Upgrade the Splunk App for Stream to version 8.1.1 or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk App for Stream8.1streamfwd8.1 and lower8.1.1

Mitigations and Workarounds

  • Install the Splunk App for Stream as a high-privileged user, for example, one that has been added to the /etc/sudoers file on the machine that runs the instance (on machines that run *nix).
  • Limit user access to the ‘streamfwd’ process by removing all but privileged users’ ability to run the process.
  • Disable the Splunk App for Stream if you do not require it and cannot upgrade it.

Detections

None

Severity

Splunk rated the vulnerability as High, 7.8 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

If the instance does not run the Splunk App for Stream, then there is no impact and the severity is Informational.

Acknowledgments

Ben Leonard-Lagarde & Lucas Fedyniak-Hopes (Modux)