Splunk RCE Vulnerability

A high-severity Remote Code Execution (RCE) flaw in Splunk Enterprise has been discovered, enabling an attacker to upload malicious files.

Versions of Splunk Enterprise less than 9.0.7 and 9.1.2 do not properly sanitize user-supplied extended stylesheet language transformations (XSLT). This implies that a malicious XSLT can be uploaded by an attacker, which may cause remote code execution on the Splunk Enterprise instance.

EHA

Specifics of the Splunk RCE Flaw

With a CVSSv3.1 Score of 8.0, this vulnerability is categorized as high severity and tracked as CVE-2023-46214.

“In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply”, according to Splunk advisory.

The attack can be triggered remotely, and the modification causes an XML injection. Because the product does not appropriately neutralize XML’s special elements, attackers may modify the XML commands, content, or syntax before an end system processes it.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

According to a researcher who outlines the process for identifying the vulnerability using the full proof of concept exploit and the CVE description, the following steps were followed:

  • Crafted valid XSL file
  • Determined requirements to reach vuln code
  • Identified vulnerable endpoint
  • Predictable upload file location
  • Know where to write script
  • Execute script
Finding an Endpoint

Fixed Version

Splunk Versions

Recommendation

It is recommended that users update to Splunk Enterprise version 9.0.7 or 9.1.2.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.