Request a Demo
Rewterz
Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
June 5, 2023
Rewterz
Rewterz Threat Alert – DanaBot Trojan – Active IOCs
June 5, 2023

Rewterz Threat Advisory – Multiple Splunk Products Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2023-32706 CVSS:7.7

Splunk Enterprise is vulnerable to an XML external entity injection (XXE) attack when processing XML data, caused by a weakly configured XML parser in the SAML authentication mechanism. By using specially crafted XML content, a remote authenticated attacker could exploit this vulnerability to cause a denial of service, or achieve other system impacts.

CVE-2023-32707 CVSS:8.8

Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an unspecified flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2023-32708 CVSS:7.2

Splunk Enterprise and Splunk Cloud Platform is vulnerable to HTTP response splitting attacks, caused by the lack of filtering in the rest SPL command. A remote authenticated attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.

CVE-2023-32709 CVSS:4.3

Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization in the conf-user-seed REST endpoint. By sending a specially crafted rest SPL command, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-32710 CVSS:4.8

Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the copyresults command. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-32711 CVSS:5.4

Splunk Enterprise is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Bootstrap web framework. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-32712 CVSS:3.4

Splunk Enterprise could allow a remote attacker over SSH to bypass security restrictions, caused by a log file poisoning vulnerability. By persuading a victim to a open a specially crafted URL, an attacker could exploit this vulnerability to poison the log files on the system.

CVE-2023-32713 CVSS:7.8

Splunk App for Stream could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the streamfwd process. By sending a specially crafted request, an attacker could exploit this vulnerability to gain root level privileges.

CVE-2023-32714 CVSS:8.1

Splunk App for Lookup File Editing could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing “dot dot dot” sequences (…/…//) to read and write to restricted areas of the Splunk installation directory.

CVE-2023-32715 CVSS:4.7

Splunk App for Lookup File Editing is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-32716 CVSS:6.5

Splunk Enterprise and Splunk Cloud Platform are vulnerable to a denial of service, caused by a flaw in the dump SPL command. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.

CVE-2023-32717 CVSS:4.3

Splunk Enterprise and Splunk Cloud Platform could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control in the /services/indexing/preview REST endpoint. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization and overwrite search results.

Impact

  • Privilege Escalation
  • Denial of Service
  • Security Bypass
  • Information Disclosure
  • Gain Access
  • Cross-Site Scripting

Indicators Of Compromise

CVE

  • CVE-2023-33010
  • CVE-2023-33009

Affected Vendors

Splunk

Affected Products

  • Splunk Splunk Enterprise 9.0.4
  • Splunk Splunk Enterprise 8.2.10
  • Splunk Splunk Enterprise 8.1.13
  • Splunk Cloud Platform 9.0.2303
  • Splunk App for Stream 8.1.0
  • Splunk App for Lookup File Editing 4.0.0

Remediation

Refer to Splunk Advisory for patch, upgrade or suggested workaround information.

CVE-2023-32706

CVE-2023-32707

CVE-2023-32708

CVE-2023-32709

CVE-2023-32710

CVE-2023-32711

CVE-2023-32712

CVE-2023-32713

CVE-2023-32714

CVE-2023-32715

CVE-2023-32716

CVE-2023-32717