Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream
Advisory ID: SVD-2023-0607
CVE ID: CVE-2023-32713
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 7.8, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-269
Bug ID: STREAM-5290
Description
A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.
Solution
Upgrade the Splunk App for Stream to version 8.1.1 or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk App for Stream | 8.1 | streamfwd | 8.1 and lower | 8.1.1 |
Mitigations and Workarounds
- Install the Splunk App for Stream as a high-privileged user, for example, one that has been added to the /etc/sudoers file on the machine that runs the instance (on machines that run *nix).
- Limit user access to the ‘streamfwd’ process by removing all but privileged users’ ability to run the process.
- Disable the Splunk App for Stream if you do not require it and cannot upgrade it.
Detections
None
Severity
Splunk rated the vulnerability as High, 7.8 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
If the instance does not run the Splunk App for Stream, then there is no impact and the severity is Informational.
Acknowledgments
Ben Leonard-Lagarde & Lucas Fedyniak-Hopes (Modux)