Unauthenticated Log Injection In Splunk SOAR
Advisory ID: SVD-2023-0702
CVE ID: CVE-2023-3997
Published: 2023-07-31
Last Update: 2023-10-18
CVSSv3.1 Score: 8.6, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-117
Bug ID: SPL-241869
Description
In Splunk SOAR versions lower than 6.1.0, a maliciously crafted request to web endpoint through Splunk SOAR can inject ANSI (American National Standards Institute) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially result in malicious code execution in the vulnerable application. This attack requires a Splunk SOAR user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable application. The attack further requires the terminal user to execute the code.
This vulnerability does not directly affect Splunk SOAR, only indirectly through the permissions in the user’s terminal. The indirect impact on Splunk SOAR can vary significantly depending on the permissions in the vulnerable terminal application and where and how the terminal user reads the malicious log file. For example, a terminal user can unknowingly copy the malicious file from the Splunk SOAR instance and read it on their local machine. In this case, that local machine would be affected.
Solution
Splunk SOAR (On-premises): Upgrade to version 6.1.0.
Splunk SOAR (Cloud): No action is required. Splunk is actively patching and monitoring the Splunk SOAR (Cloud) instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk SOAR (On-premises) | SOAR | 6.0.2 and lower | 6.1.0 | |
| Splunk SOAR (Cloud) | SOAR | 6.0.2 and lower | 6.1.0 |
Mitigations and Workarounds
If it is not currently practical to upgrade to Splunk SOAR version 6.1.0, you can partially mitigate the risk. As a partial, general mitigation, you can protect Splunk SOAR users from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or by using a terminal application that supports the filtering of ANSI codes.
Detections
None
Severity
Splunk rates this vulnerability as High, 8.6, with a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
Attack Vector:
The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk SOAR instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector”. In most vulnerabilities that Splunk rates, the vector would align with CVSS metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following:
“The attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”
The attack mirrors this qualification, requiring another user to open a malicious document, for example, the injected log file. Because of this, Splunk rated this Attack Vector as “Local” per the CVSS v3.1 Specification Document.
Attack Complexity:
This vulnerability requires no additional preparation from the attacker, and there are no extenuating circumstances for exploiting this vulnerability.
Privileges Required:
This vulnerability does not require additional privileges and occurs through an unauthenticated web request to Splunk SOAR.
User Interaction:
This vulnerability requires users to open or read the malicious document, file, or log for successful execution.
Scope:
This vulnerability does not affect Splunk SOAR directly, only indirectly through the authorized permissions in the user’s terminal. This vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, this vulnerability qualifies for a Change in Scope, as defined by the CVSS standard.
Confidentiality/Integrity/Availability:
This vulnerability enables potential remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for Confidentiality, Integrity and Availability. The indirect impact on Splunk SOAR might vary significantly depending on how the terminal user configured permissions in their terminal application.
Acknowledgments
STÖK / Fredrik Alexandersson
Changelog
2023-08-18: Updated fixed versions from “6.0.1” to “6.0.2”, Splunk SOAR (Cloud) fix from “6.0.1.123902” to “6.0.2”, and minor style changes