Headline
CVE-2023-32713: Local Privilege Escalation via the ‘streamfwd’ program in Splunk App for Stream
In Splunk App for Stream versions below 8.1.1, a low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.
Advisory ID: SVD-2023-0607
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 7.8, High
Description
A low-privileged user could use a vulnerability in the streamfwd process within the Splunk App for Stream to escalate their privileges on the machine that runs the Splunk Enterprise instance, up to and including the root user.
Solution
Upgrade the Splunk App for Stream to version 8.1.1 or higher.
Product Status
Product
Version
Component
Affected Version
Fix Version
Splunk App for Stream
8.1
streamfwd
8.1 and lower
8.1.1
Mitigations and Workarounds
- Install the Splunk App for Stream as a high-privileged user, for example, one that has been added to the /etc/sudoers file on the machine that runs the instance (on machines that run *nix).
- Limit user access to the ‘streamfwd’ process by removing all but privileged users’ ability to run the process.
- Disable the Splunk App for Stream if you do not require it and cannot upgrade it.
Detections
None
Severity
Splunk rated the vulnerability as High, 7.8 with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
If the instance does not run the Splunk App for Stream, then there is no impact and the severity is Informational.
Acknowledgments
Ben Leonard-Lagarde & Lucas Fedyniak-Hopes (Modux)