Splunk Enterprise on Windows Privilege Escalation due to Insecure OPENSSLDIR Build Definition Reference in DLL
Advisory ID: SVD-2023-0805
CVE ID: CVE-2023-40596
Published: 2023-08-30
Last Update: 2023-08-30
CVSSv3.1 Score: 7.0, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-665
Bug ID: VULN-4474
Description
In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine.
As part of creating the DLL files within a Splunk Enterprise installation, the build system specifies internal build definition references. If a reference for a build definition is not provided, the build system uses the local directory on the build system when it builds the DLL files. The OPENSSLDIR definition reference was not explicitly provided at build time, which resulted in an insecure path for the OPENSSLDIR definition being encoded into the affected DLL file. An attacker could determine this directory and subsequently create the directory structure locally on the Splunk Enterprise instance, then install malicious code within this directory structure to escalate their privileges on the Windows machine that runs the instance.
Solution
Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.
This vulnerability does not affect Splunk Cloud Platform.
Product Status
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 |
Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 |
Mitigations and Workarounds
Restrict the permissions of the user that runs the splunkd process to core functionality. For more information, please review Harden Your Windows Installation.
Detections
None
Severity
Splunk rates this vulnerability as 7.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
If you do not run Splunk Enterprise on a Windows machine, then there is no impact and the severity is Informational.
Acknowledgments
Will Dormann, Vul Labs