Privilege escalation for users who hold the “splunk_app_soar“ role in the Splunk App for SOAR

Description

In versions 1.0.67 and lower of the Splunk App for SOAR, the Splunk documentation for that app recommended adding the admin_all_objects capability to the splunk_app_soar role. This addition could lead to improper access control for a low-privileged user that does not hold the “admin” Splunk roles.

Solution

The solution differs based on whether you made any changes to thesplunk_app_soar role.

If you did not make any changes to the splunk_app_soar role upgrade Splunk App for SOAR to version 1.0.71 or higher.

If you did make changes to the splunk_app_soar role (including adding or removing capabilities) perform one of the following actions before upgrading to version 1.0.71 or higher:
- Manually delete the splunk_app_soar role using Splunk Web, or, on Splunk Enterprise only, from the authorize.conf configuration file located in $SPLUNK_HOME/etc/system/local.
- Remove any high-privileged capabilities that you added to the splunk_app_soar role, including admin_all_objects.

For more information, see Create and manage roles with Splunk Web, Assign roles for Splunk App for SOAR, and Define roles on the Splunk platform with capabilities.

Product Status

Mitigations and Workarounds

If you can not upgrade to 1.0.71, or higher, you could remove any high-privilege capabilities that you added to the splunk_app_soar role, including admin_all_objects.

If you must assign a modified splunk_app_soar role that has high-privileged capabilities assigned to it, then assign it only to high-privileged users.

Detections

None

Severity

Splunk rates this vulnerability a 6.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N.

Acknowledgments

Gabriel Nitu, Splunk

Changelog

• 2025-01-15: Updated ‘Solution’ and ‘Mitigations & Workarounds’ sections.