Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)
Advisory ID: SVD-2023-0810
CVE ID: CVE-2023-4571
Last Update: 2023-08-30
CVSSv3.1 Score: 8.6, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Bug ID: ITSI-31707
In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.
The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.
For Splunk ITSI, upgrade to version 4.13.3 or 4.15.3.
Upgrading or mitigating the issue prevents future log injections. However, logs that were generated prior to an upgrade might be at risk. Where applicable, remove existing Splunk ITSI log files in either $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch/
|Product||Version||Component||Affected Version||Fix Version|
|Splunk ITSI||4.13||-||4.13.0 to 4.13.2||4.13.3|
|Splunk ITSI||4.15||-||4.15.0 to 4.15.2||4.15.3|
Mitigations and Workarounds
As a partial mitigation, users can protect themselves from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes.
Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk ITSI instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following:
- the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”
The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document.
The vulnerability does not require additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability.
The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk ITSI instance.
The vulnerability requires users to open or read the malicious document, file, or log for successful execution.
The vulnerability does not affect Splunk ITSI directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope.
The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk ITSI might vary significantly depending on how the user configured permissions in their terminal application.
STÖK / Fredrik Alexandersson