Critical Splunk Enterprise Vulnerability reported, PoC already available

published: Dec. 2, 2023

Take action: Because the attack requires authenticated credentials, the patching is not a panic mode. Communicate to all users of your Splunk system to be very careful with phishing attemtps and code they execute. Then proceed to patch the Splunk instance since it's not smart to keep a vulnerable system - someone will eventually be scammed into clicking an exploit.

Learn More

A high-severity vulnerability is reported in Splunk Enterprise, a widely used data analytics solution. This vulnerability, tracked as CVE-2023-46214 (CVSS8 score 8.8) is resulting from Splunk Enterprise's failure to adequately sanitize user-supplied extensible stylesheet language transformations (XSLT) and could lead to remote code execution on the affected instance.

CVE-2023-46214 impacts Splunk Enterprise versions from 9.0.0 to 9.0.6 and 9.1.0 to 9.1.1, as well as version 8.x, which is no longer officially supported. Splunk Cloud versions below 9.1.2308 are also vulnerable, although Splunk is actively monitoring and patching instances on its Cloud Platform.

A vulnerability researcher has detailed the exploitation steps for CVE-2023-46214 in a Python script. Although the script requires certain conditions to be met, successful execution can open a remote command prompt. The attack necessitates prior authentication and some level of user interaction.

With these preconditions in mind, the most common vector of attack will be through phishing and social engineering which will try to persuade users of the vulnerable Splunk system to execute the attack script.

Splunk’s Threat Research team has provided threat hunters with detections to aid in a comprehensive approach to addressing and mitigating the risks associated with this security vulnerability.

To mitigate this risk, administrators should upgrade Splunk Enterprise to versions 9.0.7 or 9.1.2. If upgrading is not immediately possible, limiting the ability of search job requests to accept XML stylesheet language (XSL) as valid input is recommended, which involves modifying the web.conf configuration file.

For older versions of Splunk Enterprise, a review of the web.conf specification for the enableSearchJobXslt setting is advised.

Critical Splunk Enterprise Vulnerability reported, PoC already available