Splunk Enterprise affected by CVE-2023-40598
Splunk Enterprise affected by CVE-2023-40598
This is an overview of the CVE-2023-40598 vulnerability, which affects Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1. We will explain the nature of the vulnerability, how it can be exploited, and how it can be fixed. We will also provide code examples, links to web pages with valuable information, and tips on how to prevent similar vulnerabilities in the future.
What is CVE-2023-40598
CVE-2023-40598 is a vulnerability that allows an unauthenticated, remote attacker to upload arbitrary files to a Splunk Enterprise system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data.
Splunk Enterprise is a software platform that collects, analyzes, and visualizes data from various sources. Splunk Enterprise provides a web-based management interface that allows users to configure and manage the system, as well as access various features and applications. One of these features is the external lookup, which allows users to enrich data with information from external sources, such as databases, scripts, or web services.
The external lookup feature uses a legacy internal function called lookup_external.py, which is located in the $SPLUNK_HOME/bin directory. This function is responsible for invoking external commands or scripts and passing data to them via standard input and output. However, this function does not require any authentication or authorization. It does not check the validity or integrity of the data it receives. Therefore, an attacker can craft a malicious request that calls this function and passes arbitrary data to it, such as a file name and content. The function will then write the data to the specified file name in the $SPLUNK_HOME/bin directory, without any verification or sanitization.
A successful exploit of this vulnerability could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system and elevate privileges to root. This could compromise the confidentiality, integrity, and availability of the system and the data it processes.
How CVE-2023-40598 is being exploited
An attacker would need to send a specially crafted HTTP request to the Splunk Enterprise web interface, targeting the external lookup API. The request would have the following format:
POST /en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external
HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
Content-Length: <length>
lookup_external.py&lookup=<file_name>&data=<file_content>
The lookup_external.py parameter specifies the internal function to call, the lookup parameter specifies the file name to write to, and the data parameter specifies the file content to write. The file name and content can be any arbitrary values. The file name should also have a valid extension, such as .py, .sh, or .exe, depending on the type of file and the operating system. The file content should be a valid script or executable that can run on the target system and perform the desired actions, such as creating a reverse shell, downloading additional malware, or deleting files.
For example, the following request would upload a Python script named evil.py to the $SPLUNK_HOME/bin directory, which would execute the command whoami and write the output to a file named output.txt in the same directory:
POST /en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external
HTTP/1.1
Host: 192.168.1.100:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
lookup_external.py&lookup=evil.py&data=import+os%0Aos.system%28%27whoami+%3E+output.txt%27%29
The attacker could then execute the uploaded script by accessing it via the web interface:
<http://192.168.1.100:8000/en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external?lookup=evil.py>
The attacker could then check the result of the script execution by reading the output.txt file:
<http://192.168.1.100:8000/en-US/splunkd/__raw/servicesNS/nobody/search/lookup/external?lookup=output.txt>
The output would show the user name of the process that executed the script, which would be root by default.
How to fix CVE-2023-40598
To fix this vulnerability, Splunk has released software updates that address the issue. The affected Splunk Enterprise versions are below 8.2.12, 9.0.6, and 9.1.1. The fixed Splunk Enterprise versions are 8.2.12, 9.0.6, and 9.1.1 or later. Users are advised to upgrade to the latest version as soon as possible.
The software updates can be installed by following the instructions in the Splunk documentation: How to upgrade Splunk Enterprise
Alternatively, users can apply a workaround and disable the external lookup feature by deleting or renaming the lookup_external.py file in the $SPLUNK_HOME/bin directory. However, this may affect the functionality of some Splunk applications that rely on external lookups.
How to prevent similar vulnerabilities in the future
To prevent similar vulnerabilities in the future, Splunk developers and administrators should follow the best practices for secure coding and configuration, such as:
- Implement proper authentication and authorization mechanisms for all APIs and functions that access or modify sensitive data or system resources.
- Validate and sanitize all user-supplied data before processing or storing it, especially when passing it to external commands or scripts.
- Restrict the permissions and privileges of the Splunk processes and files, especially those that execute external commands or scripts, to the minimum necessary.
- Encrypt and hash sensitive data in transit and at rest, and using secure protocols and algorithms.
- Applying the latest security patches and updates for Splunk and the underlying operating system and components.
- Monitor and audit the Splunk system and network activity for any suspicious or anomalous behavior.
- Maintain a companywide Vulnerability Database which assures that all your engineering teams can easily fix identified vulnerabilities.
Summary
CVE-2023-40598 is a critical vulnerability that affects Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1. It allows an unauthenticated, remote attacker to upload arbitrary files to a Splunk Enterprise system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. The vulnerability can be exploited by sending a specially crafted HTTP request to the Splunk Enterprise web interface, targeting the external lookup API. The vulnerability can be fixed by upgrading to the latest Splunk Enterprise version or by disabling the external lookup feature. The vulnerability can be prevented by following the best practices for secure coding and configuration. Users are advised to take immediate action to protect their Splunk Enterprise systems from this vulnerability.
:quality(30))
:quality(30)){kind=logo}
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))
:quality(30))