-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-015 Product: Splunk Vendor: Splunk Affected Version(s): 6.3.3.3 and below Tested Version(s): 6.3.1 Vulnerability Type: Improper Access Control (CWE-284) Risk Level: High Solution Status: Fixed Vendor Notification: 2016-02-22 Solution Date: 2016-04-06 Public Disclosure: 2016-04-19 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The access controll for the Splunk commands 'inputcsv' and 'outputcsv' is not sufficient. Splunk is a software for searching, monitoring and analyzing machine generated data like e.g. log files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The commands 'inputcsv' and 'outputcsv' can be used to save search results to and read inputs from CVS files. Those commands do not provide proper access control. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The command 'inputcsv' can be used to read arbitrary files from the directory $SPLUNK_HOME/var/run/splunk including files from subfolders. Thefore it can also be used to read out the merged server configuration which is stored at $SPLUNK_HOME/var/run/splunk using the search command: | inputcsv merged/server.conf Furthermore, the 'outputcsv' command can be used to write nearly arbitary content to files inside $SPLUNK_HOME/var/run/splunk, i.e. it is possible to write a file named 'session-syss.csv'. Changing the value of a session-id cookie to 'syss.csv' will cause Splunk to load this file as Python .pickle file. The only reason which prevents code execution in this case is the use of double quotes inside the generated CSV files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to Splunk Enterprise version 6.3.3.4, 6.2.9, 6.1.10, 6.0.11, 5.0.15 or later. Upgrade to Splunk Light version 6.3.3.4, 6.2.9 or later. See [2] for details. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-01-18: Vulnerability discovered 2016-01-22: Vulnerability reported to vendor 2016-03-12: Release of Splunk Enterprise version 6.3.3.4 2016-04-19: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Splunk Homepage https://www.splunk.com [2] Splunk Advisory https://www.splunk.com/view/SP-CAAAPKV [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This Security vulnerability was found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXEOFdAAoJENWmFJbQahTeQgsP/3yyH7dAYhX7Cv2aM37xxKDF 9yrI3YVUzVcn3YBLD1VLmQ7KXLaLFnPoWJocMwM4lbNN6pFb9ulHcTegNHajzFrI r2AT3XTDfjyoFj7IdTcSNv3rita2rF61TSnyOrQZwmXD6+6fVk8RQfgxeZhHEvbg bcObgylo3ZM/oKOd0V4Uv1/2B1eIlva6p7eVEk5FxZ6lQu2JhWW+mhxSVnBNkCW9 fiEq5lZMWKwZpgzyJFc3ED3TZn6OS0mFJMZZ7aOkt4xuop7y4J4Ycg6vV0SKB64G Gn4K4NU/w4smb9PdcR/MA78klPmiQZBNMV8tPDsM/TMfd8NjKO0iEz6qybecAyLr clvF5ieQXQazB2PDv5WA679KTxZHXoIi9S7k9+3+N74UVzUbPVZEZkj9TTSz25Y9 ePrKJs/kNRntym0rMmTFcBH1PqMxdqUOxptGbqD320FFaT8uba5pyVYrDHfX+ICc OZfZgjkfwVQylfclBGVclHWQWnwy+kE4T10VA1ChpCsn0AEVy0Q5+A+/nDgkUCjo VjABBb0XkeFrfBF0k/gIAJlTrz2iOrioLkAAx0aDaUaHf2Ji83zxzfrTI6KoSqMZ FHnOLdrV0XND+9V2CJ6gOzh0zB7OVXnU7PP+fQ0iDmYXrg5RssYHCyNnPfN2djUS CUsctFAg+Uij2U9y5tYo =hgFv -----END PGP SIGNATURE-----