Splunk reports RCE Vulnerability → NeuraCyb Security Labs

Splunk Enterprise is a powerful platform for data analytics and monitoring, but it also has a critical security flaw that could allow attackers to execute arbitrary code on your system. This flaw, known as CVE-2023-46214, affects versions of Splunk Enterprise less than 9.0.7 and 9.1.2 ¹. In this article, we will explain what this vulnerability is, how it works, and what you can do to prevent it.

What is CVE-2023-46214?

CVE-2023-46214 is a remote code execution (RCE) vulnerability that stems from insufficient sanitization protocols for user-supplied extensible stylesheet language transformations (XSLT)². XSLT is a language that allows transforming XML documents into other formats, such as HTML or plain text. Splunk Enterprise uses XSLT to process some of the data that it collects and displays.

The problem is that Splunk Enterprise does not properly check the XSLT content that it receives from users, and allows them to upload malicious XSLT files that contain code that can be executed on the server. This means that an attacker who has access to Splunk Enterprise, either as a legitimate user or by exploiting another vulnerability, can upload a specially crafted XSLT file and trigger the execution of their code on the system.

How does CVE-2023-46214 work?

Here is a simplified example of how CVE-2023-46214 works:

The attacker creates an XSLT file that contains malicious code, such as a command to delete all the files on the server, or to download and run a malware program. The XSLT file may look something like this:

<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:value-of select="system('rm -rf /')"/>
</xsl:template>
</xsl:stylesheet>

The attacker uploads the XSLT file to Splunk Enterprise, either through the web interface or by using the REST API. The file is stored on the server, and can be accessed by a URL, such as https://splunk.example.com/xslt/malicious.xsl.
The attacker triggers the execution of the XSLT file by sending a request to Splunk Enterprise that includes the URL of the file as a parameter, such as https://splunk.example.com/search?q=xslt:malicious.xsl. This request causes Splunk Enterprise to apply the XSLT file to some XML data, and execute the code that is embedded in the file.
The attacker’s code is executed on the server, and performs the malicious actions that the attacker intended, such as deleting all the files or installing malware.

How to prevent CVE-2023-46214?

The best way to prevent CVE-2023-46214 is to update your Splunk Enterprise to the latest version, which fixes the vulnerability. Splunk has released patches for versions 9.0.7 and 9.1.2, which you can download from their website ³. You should also check your Splunk Enterprise logs and audit trails for any suspicious activity, such as XSLT uploads or requests, and investigate any potential incidents.

If you cannot update your Splunk Enterprise immediately, there are some mitigations that you can apply to reduce the risk of exploitation. These include:

Restricting the access to Splunk Enterprise to authorized users only, and enforcing strong authentication and authorization policies. You should also monitor the user activity and revoke any suspicious or unused accounts.
Disabling the XSLT feature in Splunk Enterprise, if you do not use it or need it. You can do this by setting the enable_xslt parameter to false in the web.conf file, which is located in the $SPLUNK_HOME/etc/system/local directory ⁴.
Blocking or filtering the XSLT requests that contain malicious code, either at the network level or at the application level. You can use an intrusion detection or prevention system (IDPS) or a web application firewall (WAF) to detect and block the requests that contain the xslt: parameter with a malicious URL. You can also use a custom script or a Splunk app to filter the requests and reject the ones that contain XSLT content.

Conclusion

CVE-2023-46214 is a serious vulnerability that affects Splunk Enterprise, and could allow attackers to execute arbitrary code on your system. You should update your Splunk Enterprise to the latest version as soon as possible, or apply the mitigations that we have described. You should also monitor your Splunk Enterprise for any signs of compromise, and report any incidents to Splunk support.

We hope that this article has helped you understand the CVE-2023-46214 vulnerability and how to protect your Splunk Enterprise from RCE attacks. If you have any questions or feedback, please feel free to contact us. Thank you for reading.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content: