SB2023060518 - Multiple vulnerabilities in Splunk Enterprise
Published: June 5, 2023 Updated: October 25, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Stored cross-site scripting (CVE-ID: CVE-2023-32711)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Bootstrap web framework. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Improper access control (CVE-ID: CVE-2023-32717)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions to the "/services/indexing/preview" REST endpoint. A remote user with ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities can bypass implemented security restrictions and overwrite search results if they know the search ID (SID) of an existing search job.
3) XML External Entity injection (CVE-ID: CVE-2023-32706)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied XML input within the within SAML authentication. A remote non-authenticated attacker can pass a specially crafted XML code to the application and perform a denial of service (DoS) attack.
4) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2023-32716)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling in the ‘dump’ SPL command. A remote user can supply a longer-than-expected filename with the command and perform a denial of service (DoS) attack.
5) Improper Authorization (CVE-ID: CVE-2023-32709)
The vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to application does not properly restrict access to sensitive information. A remote user with "user" capability can use the "rest" SPL command against the ‘conf-user-seed’ REST endpoint to disclose the hashed version of the initial user name and password for the Splunk instance.6) Information disclosure (CVE-ID: CVE-2023-32710)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can perform an unauthorized transfer of data from a search using the ‘copyresults’ command if they know the search ID (SID) of a search job that has recently run.
7) HTTP response splitting (CVE-ID: CVE-2023-32708)
The vulnerability allows a remote user to perform HTTP splitting attacks.
The vulnerability exists due to software does not correclty process CRLF character sequences with the "rest" SPL command. A remote user can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
8) Improper Output Neutralization for Logs (CVE-ID: CVE-2023-32712)
The vulnerability allows a remote attacker to alter log files.
The vulnerability exists due to improper input validation. A remote attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes.
The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute.
9) Improper Authorization (CVE-ID: CVE-2023-32707)
The vulnerability allows a remote user to escalate privileges within the application.
The
vulnerability exists due to application does not honor the "grantableRoles" setting in the authorize.conf configuration file. A remote user with "edit_user" capability can send a specially crafted HTTP request and obtain administrative privileges within the application.
Remediation
Install update from vendor's website.
References
- https://research.splunk.com/application/8a43558f-a53c-4ee4-86c1-30b1e8ef3606/
- https://advisory.splunk.com/advisories/SVD-2023-0605
- https://research.splunk.com/application/bbe26f95-1655-471d-8abd-3d32fafa86f8/
- https://advisory.splunk.com/advisories/SVD-2023-0612
- https://advisory.splunk.com/advisories/SVD-2023-0601
- https://advisory.splunk.com/advisories/SVD-2023-0611
- https://research.splunk.com/application/fb0e6823-365f-48ed-b09e-272ac4c1dad6/
- https://research.splunk.com/application/a1be424d-e59c-4583-b6f9-2dcc23be4875/
- https://advisory.splunk.com/advisories/SVD-2023-0604
- https://advisory.splunk.com/advisories/SVD-2023-0609
- https://research.splunk.com/application/e615a0e1-a1b2-4196-9865-8aa646e1708c/
- https://advisory.splunk.com/advisories/SVD-2023-0603
- https://advisory.splunk.com/advisories/SVD-2023-0606
- https://research.splunk.com/application/39e1c326-67d7-4c0d-8584-8056354f6593/
- https://advisory.splunk.com/advisories/SVD-2023-0602