Risky command safeguards bypass in Dashboard Examples Hub

Description

In Splunk Enterprise versions below 9.2.1, 9.1.4 and 9.0.9, and Splunk Cloud Platform versions below 9.1.2312.104 and 9.1.2308.205, the Dashboard Examples Hub in the Splunk Dashboard Studio app lacks protections for risky SPL commands, which could allow an attacker to bypass SPL safeguards for risky commands. 

The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser (and in the case of Splunk Enterprise, also if Splunk Web is on).

For more information on risky commands and potential impacts, see SPL safeguards for risky commands.

Solution

For Splunk Enterprise, upgrade versions to 9.2.1, 9.1.4, 9.0.9, or higher.

For Splunk Cloud Platform, Splunk has put in place a mitigation, and is actively monitoring and rolling out patches across Splunk Cloud Platform instances.

Product Status

Mitigations and Workarounds

On Splunk Cloud Platform only, Splunk implemented network-level changes that fully mitigate the vulnerability.

On Splunk Enterprise only:

You can mitigate the vulnerability by removing the template file for the Splunk Dashboard Studio Examples Hub. This file is located at $SPLUNK_HOME/etc/apps/splunk-dashboard-studio/appserver/templates/example-hub.html. This mitigation prevents the Dashboard Examples Hub from rendering.

The vulnerability affects instances with Splunk Web turned on. You can turn Splunk Web off as a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.

The Splunk-built Splunk Dashboard Studio app comes with Splunk Enterprise and uses the Dashboard Examples Hub. You can disable the app as a possible workaround for instances that do not run as Search Heads. See Manage app and add-on objects - Splunk Documentation for more information.

Note: In Splunk Enterprise versions below 9.2 and Splunk Cloud Platform versions below 9.0.2205, disabling the Splunk Dashboard Studio app disables Dashboard Studio dashboard functionality. In all Splunk Enterprise and Splunk Cloud Platform versions, disabling the Splunk Dashboard Studio app breaks images and icons for Dashboard Studio dashboards and might also cause unintended problems with other Dashboard Studio functionality.

Detections

• Splunk Command and Scripting Interpreter Risky Commands

Severity

The severity of this vulnerability varies based on certain conditions.

On Splunk Enterprise:

If the Splunk Enterprise environment meets the conditions that appear in the “Description” section, Splunk rates the vulnerability as High, 8.1, with a CVSSv3.1 Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.

If the Splunk Enterprise instance does not run Splunk Web or Splunk Dashboard Studio, there is no impact and the severity is Informational.

On Splunk Cloud Platform:

Splunk implemented network-level changes that fully mitigate the vulnerability. There is no impact and the severity is Informational.

Changelog

• 2024-04-09: Revised Splunk Cloud fixed version from 9.1.2312.200 to 9.1.2312.104 and added fix version 9.1.2308.205. Clarified Splunk Cloud Platform mitigations. Clarified mitigation of “Disabling Dashboard Studio” because this mitigation may cause unforeseen impact to customer instances. Added mitigation to remove vulnerable template file.

• 2024-04-04: Revised Splunk Cloud fixed version from 9.1.2312.100 to 9.1.2312.200