CVE-2023-40596: Splunk Enterprise on Windows Privilege Escalation Vulnerability
A critical vulnerability has been found in Splunk Enterprise, a data platform designed to help businesses manage big data and analyze machine data. The vulnerability tracked as CVE-2023-40596, allows an attacker to escalate their privileges on a Windows machine by abusing an insecure path reference in a DLL file that ships with Splunk Enterprise.
For the uninitiated, Splunk Enterprise is more than just a data platform. It’s a wizard that turns machine data into operational intelligence. Be it for on-premises deployment or cloud integration via the Splunk Cloud Platform, Splunk Enterprise offers invaluable insights by managing and analyzing vast chunks of machine data. Businesses, regardless of their size, consider it a quintessential tool in their tech arsenal.
Image: Splunk
The CVE-2023-40596 vulnerability, graded with a CVSS score of 7.0, may not sound like a massive siren, but it is certainly not to be ignored. The core of this issue rests in a dynamic link library (DLL) that accompanies Splunk Enterprise.
In certain versions of Splunk Enterprise, the DLL uses an insecure reference path for its OPENSSLDIR build definition. This misstep offers a golden opportunity for cyber attackers. They can exploit this reference, install malevolent code, and escalate their privileges on the targeted Windows machine.
But how did this oversight occur? It all boils down to the creation of DLL files within Splunk’s installation. If a build definition reference isn’t specified, the system defaults to a local directory on the build system. In this case, the OPENSSLDIR definition missed its explicit mention during the build process, leading to this vulnerable encoding in the DLL file.
An astute attacker, recognizing this, can carve a local directory structure on the Splunk instance and install malicious codes, thereby heightening their control over the Windows host.
The best way to protect yourself from this vulnerability is to upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. These versions include a fix for the vulnerability.
If you cannot upgrade Splunk Enterprise immediately, you can mitigate the risk of exploitation by restricting the permissions of the user that runs the splunkd process to core functionality. For more information, please see the Harden Your Windows Installation guide.
