06.22.22

Customer Advisory | Splunk Critical Vulnerability

By Eric Ford, Sr. Threat Intelligence Analyst

Estimated Reading Time: 9 minutes

What You Need to Know

  • Splunk’s Product Security Team disclosed eight vulnerabilities on June 14, 2022 that impact various components of Splunk Enterprise prior to version 9.0 or Splunk Cloud Platform.
  • The most critical vulnerability is being tracked as CVE-2022-32158 and has a CVSS score of 9.0. If exploited, this vulnerability could allow a compromised Universal Forwarder to publish unauthorized content to the subscribed-to deployment server. This would effectively allow an actor to execute arbitrary code on other Universal Forwarders subscribed to the deployment server.
  • Splunk’s primary recommendation for remediating these vulnerabilities has been to upgrade the various impacted components of Splunk Enterprise to version 9.0. Splunk is not aware of any successful exploitation of these vulnerabilities at this time. 
  • Attempts to exploit these vulnerabilities can potentially be identified by monitoring for unexpected Splunk applications or  Universal Forwarders being added to the environment, suspicious processes / commands being run on machines with Universal Forwarders installed, and unexpected child processes of Splunk processes.
  • Multiple teams within Deepwatch are actively working with customers that may be impacted by these vulnerabilities. Customers may reach out to their Deepwatch team directly for specific response actions being performed.

Overview

Splunk’s Product Security Team announced a list of eight vulnerabilities on 06/14/2022. The vulnerabilities that were disclosed impact various components of Splunk Enterprise. Deepwatch is reviewing these vulnerabilities and building a response strategy for customers. 

The original security advisory posted by Splunk can be found here.

Vulnerability Details, Affected Products, and Recommendations

A brief overview, CVE ID, and the respective severity level of the eight vulnerabilities are listed below:

CVETitleSeverity
CVE-2022-32158Deployment servers allow client publishing of bundlesCritical
CVE-2022-32157Deployment servers allow unauthenticated bundle accessHigh
CVE-2022-32156Splunk Enterprise and Universal Forwarder CLI connections lacked TLS certificate validationHigh
CVE-2022-32153Splunk Enterprise lacked TLS hostname certificate validationHigh
CVE-2022-32152Splunk Enterprise lacked TLS certificate validation for Splunk-to-Splunk communication by defaultHigh
CVE-2022-32151Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by defaultHigh
CVE-2022-32154Risky commands warnings in dashboardsMedium
CVE-2022-32155UF management services allows remote login by defaultN/A

CVE-2022-32158

CVE-2022-32158 is a critical vulnerability with a CVSS score of 9.0 that affects Splunk Enterprise deployment servers. A threat actor who has “compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.” Additionally, Splunk is not aware of any exploitation of this vulnerability. 

Analyst Note:

A threat actor who has exploited another vulnerability or gained access via other means, like phishing, to an end-point that has a Universal Forwarder installed on it, could exploit this vulnerability to execute arbitrary code or spread malware, such as ransomware and info stealers, to other end-points that have Universal Forwarders installed on them.

This vulnerability affects all Splunk Enterprise deployment server versions prior to 9.0 and Splunk recommends that organizations upgrade “Splunk Enterprise deployment servers to version 9.0 or higher.” 

The Splunk Cloud Platform (SCP) itself is not affected by this vulnerability as SCP does not offer nor use deployment servers. For customers that manage their own deployment servers and utilize SCP infrastructure, Splunk recommends upgrading to version 9.0 or higher. 
Of note is that Splunk’s Product team is considering creating (requires Splunk account) a back-ported fix for CVE-2022-32158 that doesn’t require a 9.0 upgrade.

CVE-2022-32157

CVE-2022-32157 is rated as high with a CVSS score of 7.0 that affects Splunk Enterprise deployment servers. The vulnerability allows the “unauthenticated downloading of forwarder bundles” and may be considered an information disclosure vulnerability, as it would allow a threat actor the ability to download all the assigned apps from a Deployment Server. Being able to download the applications from a Deployment Server would let the threat actor know what is and isn’t being logged by Splunk. Additionally, Splunk is not aware of any exploitation of this vulnerability.

This vulnerability affects all Splunk Enterprise deployment server versions prior to 9.0 and Splunk recommends all organizations “upgrade Splunk Enterprise deployment servers to version 9.0 or higher, upgrade Universal Forwarders to version 9.0 or higher, and configure authentication for deployment servers and clients.” 

Organizations that use SCP are not affected by this vulnerability, as SCP does not offer nor use deployment servers. For customers that host their own, Splunk recommends upgrading to version 9.0 or higher.

CVE-2022-32156

CVE-2022-32156 is rated as high with a CVSS score of 7.4 that affects Splunk Enterprise and Universal Forwarder versions prior to 9.0. According to Splunk’s advisory, “Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, connections from misconfigured nodes without valid certificates did not fail by default. After updating to version 9.0, see Configure TLS host name validation for the Splunk CLI to enable the remediation.” Additionally, Splunk is not aware of any exploitation of this vulnerability.

This vulnerability affects all Splunk Enterprise versions and Splunk Universal Forwarder versions before 9.0. Splunk recommends organizations “upgrade Splunk Enterprise and Universal Forwarder versions to 9.0 or higher and Configure TLS host name validation for the Splunk CLI.”

Organizations that use the SCP are not affected by this vulnerability as SCP does not offer or use deployment servers.

CVE-2022-32153

CVE-2022-32153 is rated as high with a CVSS score of 8.1 that affects Splunk Enterprise and Cloud Platforms. A threat actor could perform a “machine-in-the-middle” attack if the threat actor compromised “a valid certificate within the Splunk certificate authority (CA) chain for the specific customer environment or a trusted machine’s chain.” Additionally, Splunk is not aware of any exploitation of this vulnerability.

This vulnerability affects all Splunk Enterprise versions before 9.0 and SCP versions before 8.2.2203. Splunk recommends organizations that deploy “Splunk Enterprise, update to Splunk Enterprise version 9.0 or higher and Configure TLS host name validation to enable the remediation. For SCP customers, Splunk is actively patching and monitoring Splunk Cloud instances.”

CVE-2022-32152

CVE-2022-32152 is rated as high with a CVSS score of 8.1 that affects Splunk Enterprise and Cloud Platforms. According to Splunk’s advisory, “Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and SCP versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured properly with valid certificates were not vulnerable. However, an administrator could add a peer without a valid certificate and connections from misconfigured nodes without valid certificates did not fail by default.” Additionally, Splunk is not aware of any exploitation of this vulnerability.

This vulnerability affects all Splunk Enterprise versions before 9.0 and SCP versions before 8.2.2203. Splunk recommends organizations that deploy “Splunk Enterprise, update to Splunk Enterprise version 9.0 or higher and Configure TLS host validation for Splunk-to-Splunk communications to enable the remediation. For SCP customers, Splunk is actively patching and monitoring Splunk Cloud instances.”

CVE-2022-32151

CVE-2022-32151 is a vulnerability rated as high with a CVSS score of 7.4 that affects Splunk Enterprise and Cloud Platforms. Splunk’s advisory states that “the httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in certain Splunk Enterprise and Splunk Cloud Platform.” Additionally, Splunk is not aware of any exploitation of this vulnerability.

This vulnerability affects all Splunk Enterprise versions before 9.0 and SCP versions before 8.2.2203. Splunk recommends organizations that deploy “Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host name validation for Splunk Python modules. For SCP customers, Splunk is actively patching and monitoring Splunk Cloud instances.”

CVE-2022-32154

CVE-2022-32154 is a vulnerability rated as medium with a CVSS score of 6.8 that affects Splunk Enterprise and Cloud Platforms. According to Splunk’s advisory, the vulnerability could allow a threat actor to inject “search commands into a form token when the token is used in a query in a cross-origin request.” Splunk also notes “that the attack is browser-based and an attacker cannot exploit it at will.” Additionally, Splunk is not aware of any exploitation of this vulnerability.

This vulnerability affects all Splunk Enterprise versions before 9.0 and SCP versions before 8.2.2106. Splunk recommends organizations that deploy “Splunk Enterprise, upgrade to version 9.0 or higher and Configure TLS host name validation for Splunk Python modules. For SCP customers, Splunk is actively patching and monitoring Splunk Cloud instances.”

CVE-2022-32155

CVE-2022-32155 does not have a severity or CVSS score that affects Splunk Enterprise and Cloud Platforms. Splunk’s advisory states that the “management services are available remotely by default. When not required, it introduces a potential exposure, but it is not a vulnerability. If exposed, we recommend each customer assess the potential severity specific to your environment.” Additionally, Splunk is not aware of any exploitation of this vulnerability.

This vulnerability affects all Splunk Enterprise versions before 9.0 and SCP versions before 8.2.2106. Splunk recommends organizations “Upgrade Universal Forwarder versions to 9.0 or If management services are not required in versions before 9.0, set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf.”

Be On the Lookout (BOLO)

It is recommended to audit and monitor logs for the following:

  • Unexpected bundles being deployed via deployment servers. 
  • Unauthenticated clients downloading forwarder bundles.
  • Suspicious processes/commands being run on machines with Universal Forwarders installed. 
    • Unexpected child processes of Splunk processes
      • ex. Powershell, bash, whoami, netstat, arp -a, curl, wget, etc.
    • Note: Spunk processes may have legitimate uses for cmd.exe, etc.
      • This logic is meant for high-level hunting and results may not be indicative of exploit/compromise.

Additionally, Splunk has developed several detections, listed below,  that may aid in the observation of possible exploitation of these vulnerabilities. Furthermore, Deepwatch is evaluating these detections for deployment across customer environments.

Deepwatch Threat Intel Outlook

Due to the complexity of attacks necessary to exploit the majority of these vulnerabilities, lack of publicly available proof-of-concept code, and no known active exploitation, customers that have vulnerable products are unlikely to be targeted by threat actors. Additionally, technical details regarding the vulnerabilities are lacking and would cost a threat actor significant investment in time and resources to develop working exploitation code. Furthermore, a threat actor would also need to determine what data could be accessed by exploiting any of the vulnerabilities.

Deepwatch Threat Intel Team has moderate confidence in our analysis. The analyst(s) had some time constraints and the task complexity was moderate, the source reliability is above average, however, there are no additional corroborating sources available for the estimate. Additionally, analyst(s) collaboration was sufficient.

Conclusion

The amount of data that Splunk can store for an organization is considerable and oftentimes the platform is a rich target for adversaries. If a threat actor were to successfully exploit the aforementioned vulnerabilities, it could allow them to pivot & escalate throughout an organization’s network fairly quickly (CVE-2022-32158 and CVE-2022-32157) as well as disclose sensitive information about what is (and isn’t) being logged on systems. Although Splunk’s primary recommendation surrounding these vulnerabilities is to upgrade to version 9.0 of the platform, each organization should analyze the risks associated with doing so appropriately. For further details on how Deepwatch is working with customers to respond to these vulnerabilities reach out to your Deepwatch team.

Sources
https://www.splunk.com/en_us/product-security.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0608.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0607.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0606.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0605.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0604.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0603.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0602.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0601.html
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog