Splunk IT Service Intelligence Flaw Let Attacker Inject ANSI Codes in Log Files

Splunk has been reported with a Unauthenticated Log injection vulnerability in the Splunk IT Service Intelligence (ITSI) product. This vulnerability exists in Splunk ITSI versions prior to 4.13.3 or 4.15.3. 

Splunk ITSI  is an Artificial Intelligence Operations (AIOps) powered monitoring and analytics solution that provides users with visibility about the health of critical IT and business services and their infrastructure.

CVE(s):

CVE-2023-4571: Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)

This vulnerability can be exploited by a threat actor by injecting an American National Standard Institute (ANSI) escape code inside the Splunk ITSI log files that can run malicious code in the vulnerable application if a vulnerable terminal application reads it. 

However, this vulnerability requires user interactions to be performed. The user must read the malicious log file using a terminal application that translates the ANSI escape codes in the vulnerable terminal.

This vulnerability can be exploited by threat actors to perform malicious actions like copying the malicious file from Splunk ITSI and reading it on their local machine.

The impact of this vulnerability on Splunk ITSI can vary depending upon the permission in the vulnerable terminal application. The CVSS score for this vulnerability has been given as 8.6 (High). 

Remediation

As per the security advisory, Splunk has requested its users to upgrade to version 4.13.3 or 4.15.3 to patch this vulnerability. However, logs prior to the upgrade might still be at risk. To mitigate this, users are recommended to

  • Remove existing ITSI log files in $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch//itsi_search.log
  • In the case of Windows, the log files are present in %SPLUNK_HOME%\var\log\splunk and %SPLUNK_HOME%\var\run\splunk\dispatch\\itsi_search.log, which must be removed.

Affected products

ProductVersionComponentAffected VersionFix Version
Splunk ITSI4.134.13.0 to 4.13.24.13.3
Splunk ITSI4.154.15.0 to 4.15.24.15.3

Users of Splunk ITSI are recommended to upgrade to the latest version to fix this vulnerability and follow the mitigation steps provided. Organizations are getting targeted by multiple threat actors from different perspectives.

It is high time to take precautionary actions against all the identified vulnerabilities and patch them accordingly to prevent any disastrous events.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.