Command Injection in Splunk Enterprise Using External Lookups
Advisory ID: SVD-2023-0807
CVE ID: CVE-2023-40598
Published: 2023-08-30
Last Update: 2023-10-18
CVSSv3.1 Score: 8.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-77
Bug ID: SPL-230071
Description
In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.
The vulnerability revolves around the currently-deprecated runshellscript command that scripted alert actions use. This command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance.
Solution
Upgrade Splunk Enterprise to either 8.2.12, 9.0.6, or 9.1.1.
Splunk is actively upgrading and monitoring Splunk Cloud deployments.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 |
| Splunk Cloud | - | Splunk Web | 9.0.2305.100 and below | 9.0.2305.200 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
Severity
Splunk rates this vulnerability 8.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.
Acknowledgments
Danylo Dmytriiev (DDV_UA)