Multiple Security Vulnerabilities Found in Splunk

CVE-2023-40595

A number of security vulnerabilities have been found in Splunk, a data analytics platform. The vulnerabilities affect Splunk Enterprise and Splunk SOAR and could allow an attacker to execute arbitrary code, gain unauthorized access, or disrupt operations.

CVE-2023-40595

The vulnerabilities are:

  • CVE-2023-4571: Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)
  • CVE-2023-40598: Command Injection in Splunk Enterprise Using External Lookups
  • CVE-2023-40597: Absolute Path Traversal in Splunk Enterprise Using runshellscript.py
  • CVE-2023-40595: Remote Code Execution via Serialized Session Payload
  • CVE-2023-40592: Reflected Cross-site Scripting (XSS) on “/app/search/table” web endpoint
  • CVE-2023-3997: Unauthenticated Log Injection In Splunk SOAR

How the vulnerabilities work

The vulnerabilities work in different ways, but they all have the potential to allow an attacker to gain unauthorized access to Splunk systems or execute arbitrary code.

  • CVE-2023-4571: This vulnerability allows an attacker to inject ANSI escape codes into Splunk ITSI log files. When a vulnerable terminal application reads these log files, the ANSI escape codes can be interpreted as malicious code, which could then be executed.
  • CVE-2023-40598: This vulnerability allows an attacker to create an external lookup that calls a legacy internal function. The attacker can then use this internal function to insert code into the Splunk platform installation directory. This code could then be executed by a Splunk user.
  • CVE-2023-40597: This vulnerability allows an attacker to exploit an absolute path traversal to execute arbitrary code that is located on a separate disk. The attacker can do this by creating a specially crafted script that is placed on a disk that the attacker has write access to.
  • CVE-2023-40595: This vulnerability allows an attacker to execute a specially crafted query that can then be used to serialize untrusted data. The attacker can then use this data to execute arbitrary code.
  • CVE-2023-40592: This vulnerability allows an attacker to craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint. This endpoint is used to create table views in Splunk Web. If the vulnerability is exploited, the attacker could execute arbitrary code on the Splunk platform instance.
  • CVE-2023-3997: This vulnerability allows an attacker to inject ANSI escape codes into Splunk SOAR log files. When a vulnerable terminal application reads these log files, the ANSI escape codes can be interpreted as malicious code, which could then be executed.

The best way to protect yourself from these vulnerabilities is to upgrade Splunk Enterprise and Splunk SOAR to the latest versions. Splunk has released patches for all of the vulnerabilities.

If you cannot upgrade immediately, you can mitigate the risk by disabling Splunk Web on indexers in a distributed environment. You can also disable the ability to process ANSI escape codes in terminal applications.