Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4571: Unauthenticated Log Injection in Splunk IT Service Intelligence (ITSI)

In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.

The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.

CVE
#vulnerability#web#mac#windows#git#intel#rce#auth

Advisory ID: SVD-2023-0810

Published: 2023-08-30

Last Update: 2023-08-30

CVSSv3.1 Score: 8.6, High

Description

In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.

The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.

Solution

For Splunk ITSI, upgrade to version 4.13.3 or 4.15.3.

Upgrading or mitigating the issue prevents future log injections. However, logs that were generated prior to an upgrade might be at risk. Where applicable, remove existing Splunk ITSI log files in either $SPLUNK_HOME/var/log/splunk/ or $SPLUNK_HOME/var/run/splunk/dispatch//itsi_search.log. On Windows ITSI instances, the log files are in %SPLUNK_HOME%\var\log\splunk and %SPLUNK_HOME%\var\run\splunk\dispatch\\itsi_search.log.

Product Status

Product

Version

Component

Affected Version

Fix Version

Splunk ITSI

4.13

-

4.13.0 to 4.13.2

4.13.3

Splunk ITSI

4.15

-

4.15.0 to 4.15.2

4.15.3

Mitigations and Workarounds

As a partial mitigation, users can protect themselves from log injections via ANSI escape characters by disabling the ability to process ANSI escape codes in terminal applications or using a terminal application that supports the filtering of ANSI codes.

Detections

None

Severity

Splunk rates the vulnerability as High, 8.6, with a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Attack Vector:

The attack initially occurs at the network layer through an HTTP web request from the attacker to the vulnerable Splunk ITSI instance. However, this initial attack vector does not align with the CVSS metrics for “Attack Vector.” In most vulnerabilities that Splunk rates, the vector would align with those metrics, but the CVSS specification provides two qualifications for the “Local” metric. Specifically, the second qualification states the following:

  • the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).”

The attack mirrors this example, requiring the user to open a malicious document, for example, the injected log file. Because of this, Splunk rated the Attack Vector as “Local” per the CVSS v3.1 Specification Document.

Attack Complexity:

The vulnerability does not require additional preparation from the attacker, and there are no extenuating circumstances for exploiting the vulnerability.

Privileges Required:

The vulnerability does not require attacker privileges and occurs through an unauthenticated request to the Splunk ITSI instance.

User Interaction:

The vulnerability requires users to open or read the malicious document, file, or log for successful execution.

Scope:

The vulnerability does not affect Splunk ITSI directly, only indirectly through the authorized permissions in the user’s terminal. The vulnerability directly affects the user’s terminal, which falls outside of Splunk’s security authority. As such, the vulnerability qualifies for a Change in Scope.

Confidentiality/Integrity/Availability:

The vulnerability allows for the potential for remote code execution within the context of a user’s terminal. Because of this, out of an abundance of caution, Splunk rated the impact on the user’s terminal as High for all three vectors. The indirect impact on Splunk ITSI might vary significantly depending on how the user configured permissions in their terminal application.

Acknowledgments

STÖK / Fredrik Alexandersson

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907