Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLL

Advisory ID: SVD-2023-0805

CVE ID: CVE-2023-40596

Published: 2023-08-30

Last Update: 2023-08-30

CVSSv3.1 Score: 7.0, High

CWE: CWE-665

Bug ID: VULN-4474

Description

In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine.

As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance.

Solution

Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.

This vulnerability does not affect Splunk Cloud Platform.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1

Mitigations and Workarounds

Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review Harden Your Windows Installation.

Detections

None

Severity

Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational.

Acknowledgments

Will Dormann, Vul Labs