PoC for Splunk Enterprise RCE flaw released (CVE-2023-46214)
A proof-of-concept (PoC) exploit for a high-severity flaw in Splunk Enterprise (CVE-2023-46214) that can lead to remote code execution has been made public.
Users are advised to implement the provided patches or workarounds quickly.
About CVE-2023-46214
Splunk Enterprise is a solution that ingests a variety of data generated by an organization’s business infrastructure and applications. This data is used to generate helpful insights for improving the organization’s security and compliance, application delivery, IT operations, and more.
CVE-2023-46214 stems from Splunk Enterprise’s failure to safely sanitize extensible stylesheet language transformations (XSLT) that users supply.
“This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance,” the company explained.
According to the advisory, CVE-2023-46214 affects Splunk Enterprise versions 9.0.0 to 9.0.6 and 9.1.0 to 9.1.1. IT security expert and SANS ISC handler Bojan Zdrnja says that it also impacts Splunk v8.x, which is not supported anymore.
Splunk Cloud versions below 9.1.2308 are also affected. “Splunk is actively monitoring and patching Splunk Cloud Platform instances,” the company added.
CVE-2023-46214 PoC and risk mitigation
A vulnerability researcher has published a detailed analysis of CVE-2023-46214 and has consolidated the steps required for exploitation into a Python script. If specific prerequisites are met, the script should open a remote command prompt.
The attack can be performed by remotely, but requires prior authentication (knowledge of valid credentials) and some user interaction.
Admins are advised to upgrade their instances to versions 9.0.7 and 9.1.2 or, if they cannot upgrade, to limit the ability of search job requests to accept XML stylesheet language (XSL) as valid input (by modifying the web.conf configuration file).
“For earlier Splunk Enterprise versions, review the web.conf specification for availability of the enableSearchJobXslt setting,” Splunk advised.
Splunk’s Threat Research team has also provided detections for threat hunters.