Critical Splunk bug propagates code execution – Security
Splunk is warning of a critical vulnerability that puts any endpoint subscribed to a Splunk Deployment Server at risk.
As the company explains hereuniversal forwarders are modules that collect client data from remote sources and pass the data to Splunk, and the deployment server passes configuration data to the forwarders.
The bug is critical on the Common Vulnerability Scoring System (a score of 9.0 in this case) because if an attacker compromises a Universal Forwarded (UF) endpoint in a Splunk deployment, they can push arbitrary code that will run on all other UF endpoints. subscribed to this deployment server.
In an enterprise deployment, this could equate to the compromise of thousands of endpoints.
The US Center for Internet Safety provides a technical explanation of CVE-2022-32158 here.
The vulnerability, explained CI Security, can deploy forwarder bundles to other clients through the deployment server.
“When a Deployment Server is used, it allows for the creation of configuration bundles that can be downloaded automatically by Splunk Universal Forwarder (SUF) agents or other Splunk Enterprise instances such as heavyweight forwarders,” he said. he declares.
In addition to plain text configuration files, configuration bundles can include binary packages, “most often used for specific connectors”.
When picked up by the SUF, it runs the binary, and by default most SUF agents run with the Windows SYSTEM privilege, the CI Security message explains.
Splunk has corrected version 9.0 of its enterprise deployment servers, but has not yet patched versions prior to 9.0. Instead, he recommends that users of older versions upgrade to 9.0.
Only the deployment server needs the patch. Splunk cloud platform does not use deployment servers and patching SUFs does not fix this bug.
Like this user explained on the Splunk forumsdeployment servers are only needed to push software to SUFs – if the server is not currently in use, stopping it will block the vulnerability.