A high-severity Remote Code Execution (RCE) flaw in Splunk Enterprise has been discovered, enabling an attacker to upload malicious files.
Versions of Splunk Enterprise less than 9.0.7 and 9.1.2 do not properly sanitize user-supplied extended stylesheet language transformations (XSLT). This implies that a malicious XSLT can be uploaded by an attacker, which may cause remote code execution on the Splunk Enterprise instance.
Specifics of the Splunk RCE Flaw
With a CVSSv3.1 Score of 8.0, this vulnerability is categorized as high severity and tracked as CVE-2023-46214.
“In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply”, according to Splunk advisory.
The attack can be triggered remotely, and the modification causes an XML injection. Because the product does not appropriately neutralize XML’s special elements, attackers may modify the XML commands, content, or syntax before an end system processes it.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
According to a researcher who outlines the process for identifying the vulnerability using the full proof of concept exploit and the CVE description, the following steps were followed:
- Crafted valid XSL file
- Determined requirements to reach vuln code
- Identified vulnerable endpoint
- Predictable upload file location
- Know where to write script
- Execute script
Fixed Version
Recommendation
It is recommended that users update to Splunk Enterprise version 9.0.7 or 9.1.2.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.