CVE-2022-43565 - Bypassing SPL Safeguards in Splunk Enterprise Using JSON in 'tstats' Command

A newly discovered vulnerability in Splunk Enterprise, denoted as CVE-2022-43565, allows attackers to bypass the Search Processing Language (SPL) safeguards for risky commands simply by manipulating the way the 'tstats' command handles JSON data. This has been found to affect Splunk Enterprise versions below 8.2.9 and 8.1.12. Attackers can exploit this vulnerability by phishing the victim and tricking them into initiating a request within their browser.

In this article, we will discuss the details of this exploit, provide a code snippet to demonstrate the vulnerability, and direct you to original references for further understanding.

The Exploit

The vulnerability resides in the 'tstats' command, which allows Splunk users to perform statistical queries on indexed data. In normal situations, the SPL safeguards in Splunk Enterprise restrict the use of risky commands by limiting access according to user privileges and other security mechanisms. However, CVE-2022-43565 bypasses these security measures by taking advantage of the way JSON data is handled by the 'tstats' command.

The attacker needs to craft a malicious JSON object, then trick the victim into executing the 'tstats' command containing that JSON data. The command will bypass the SPL safeguards, allowing the attacker to execute potentially harmful actions under the victim's account.

The following code snippet demonstrates how an attacker could create a malicious JSON object and use it to manipulate the 'tstats' command:

{
    "_key": "<ATTACKER_CONTROLLED_PAYLOAD>",
    "search": {
        "tstats": {
            "conf": {
                "search": "<ANOTHER_ATTACKER_CONTROLLED_VALUE>"
            }
        }
    }
}

In this example, <ATTACKER_CONTROLLED_PAYLOAD> and <ANOTHER_ATTACKER_CONTROLLED_VALUE> should be replaced with values controlled by the attacker that can exploit the vulnerability.

1. Splunk Cloud Security - SPL Safeguards - This is the official documentation from Splunk that explains what SPL safeguards are and how they are designed to protect users from risky command execution.

2. Splunk Vulnerability Advisory - It is recommended to keep an eye on the official Splunk documentation for any vulnerability advisory that might provide details on this CVE and any associated patches or mitigation steps.

Mitigation

To protect against this vulnerability, users should update their Splunk Enterprise installation to at least version 8.2.9 or 8.1.12. Applying the latest patches and updates will ensure that the SPL safeguards function properly and protect users from similar exploits to the 'tstats' command.

Conclusion

CVE-2022-43565 is a security vulnerability in Splunk Enterprise that allows attackers to bypass the SPL safeguards for risky commands by exploiting the way JSON is handled in the 'tstats' command. By crafting a malicious JSON object and tricking the victim into executing the modified command, an attacker can take control of the victim's account and perform unauthorized actions.

Update your Splunk Enterprise to the latest version and stay informed on any relevant vulnerability advisories to mitigate this risk effectively.

Timeline

Published on: 11/04/2022 23:15:00 UTC
Last modified on: 11/08/2022 13:53:00 UTC