Improper Access Control through Role Inheritance in Splunk AI Toolkit app

Description

In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the ‘admin’ or ‘power’ roles could access confidential data that was restricted through srchFilter configurations on custom roles.

The app contains an authorize.conf configuration file with a srchFilter entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the OR SPL operator, the injected filter overrides more restrictive filters on child roles.

See About role-based user access and Add and edit roles with authorize.conf in the Splunk documentation for more information.

Solution

Upgrade Splunk AI Toolkit to version 5.7.3 or higher.

Product Status

Mitigations and Workarounds

Turn Splunk AI Toolkit 5.7.2 and lower off until a patched version is available. See Manage app and add-on objects in the Splunk documentation.

If you must leave the app on, then perform one of the following options and restart the Splunk platform instance:

1. Edit the $SPLUNK_HOME/etc/aps/Splunk_ML_Toolkit/default/authorize.conf file and remove the srchFilter line.

2. Edit the $SPLUNK_HOME/etc/apps/Splunk_ML_Toolkit/local/authorize.conf file and add a srchFilter line with an empty value. This overrides the srchFilter entry in the default app authorize.conf configuration.

See About configuration file precedence in the Splunk documentation.

Note: These mitigation options make the ai_agent_run_history_index index searchable by all users. Restrict access to this index using the srchIndexesAllowed setting on roles that are specific to Splunk AI Toolkit.

Detections

None

Severity

Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Acknowledgments

Martin Muller, Splunk