Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLL

Description

In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine.

As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance.

Solution

Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.

This vulnerability does not affect Splunk Cloud Platform.

Product Status

Mitigations and Workarounds

Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review Harden Your Windows Installation.

Detections

None

Severity

Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational.

Acknowledgments

Will Dormann, Vul Labs