Fredrik Alexandersson

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 10.2.0 Splunk Enterprise versions 10.0.2 through 10.0.2 Splunk Enterprise versions 9.2.12 through 9.4.8 Splunk Enterprise versions 9.3.9 Splunk Cloud Platform versions prior to 10.2.2510.3 Splunk Cloud Platform versions 10.0.2503.9 through 10.1.2507.8 Splunk Cloud Platform versions 9.3.2411.121 **Description** A user with limited privileges, lacking 'admin' or 'power' roles in Splunk, can create a malicious payload within the `realname`, `tz`, or `email` parameters of the `/splunkd/ raw/services/authentication/users/username` REST API endpoint when changing a password. This could potentially cause a client-side denial-of-service (DoS), significantly slowing page load times or causing Splunk Web to become temporarily unresponsive. The API endpoint is `/splunkd/ raw/services/authentication/users/username`. The vulnerable parameters are `realname`, `tz`, and `email`. **Recommendations** Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Enterprise to version 10.0.2 or later. Update Splunk Enterprise to version 9.4.8 or later. Update Splunk Enterprise to version 9.3.9 or later. Update Splunk Enterprise to version 9.2.12 or later. Update Splunk Cloud Platform to version 10.2.2510.3 or later. Update Splunk Cloud Platform to version 10.1.2507.8 or later. Update Splunk Cloud Platform to version 10.0.2503.9 or later. Update Splunk Cloud Platform to version 9.3.2411.121 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Splunk Enterprise anteriores a 10.0.1 Versões do Splunk Enterprise de 9.2.8 a 9.4.4 Versões do Splunk Cloud Platform anteriores a 9.3.2411.108 Versões do Splunk Cloud Platform de 9.2.2406.123 a 9.3.2408.118 **Descrição** Um usuário com a capacidade `change authentication` pode enviar múltiplas solicitações de bind LDAP para um endpoint interno, potencialmente causando alto uso da CPU do servidor e uma negação de serviço (DoS) até que a instância do Splunk Enterprise seja reiniciada. O problema afeta o Splunk Enterprise e o Splunk Cloud Platform. O endpoint vulnerável é um endpoint interno de solicitação de bind LDAP. **Recomendações** Atualize o Splunk Enterprise para a versão 10.0.1 ou posterior. Atualize o Splunk Enterprise para a versão 9.4.4 ou posterior. Atualize o Splunk Enterprise para a versão 9.3.6 ou posterior. Atualize o Splunk Enterprise para a versão 9.2.8 ou posterior. Atualize o Splunk Cloud Platform para a versão 9.3.2411.108 ou posterior. Atualize o Splunk Cloud Platform para a versão 9.3.2408.118 ou posterior. Atualize o Splunk Cloud Platform para a versão 9.2.2406.123 ou posterior.

Nome do software vulnerável e versões afetadas: Versões do Splunk Enterprise anteriores à 9.2.2 Versões do Splunk Enterprise anteriores à 9.1.5 Versões do Splunk Enterprise anteriores à 9.0.10 Versões da Splunk Cloud Platform anteriores à 9.1.2312 Descrição: O problema está relacionado à interface Splunk Web da plataforma Splunk Enterprise para análise operacional, que não toma medidas para proteger a estrutura da página da web. Isso poderia permitir que um invasor remoto realizasse ataques de cross-site scripting (XSS). Um usuário administrador poderia armazenar e executar código JavaScript arbitrário no contexto do navegador de outro usuário do Splunk por meio do endpoint REST `conf-web/settings`, causando potencialmente uma exploração persistente de cross-site scripting (XSS). Recomendações: Para versões do Splunk Enterprise anteriores à 9.2.2, atualize para a versão 9.2.2 ou posterior. Para versões do Splunk Enterprise anteriores à 9.1.5, atualize para a versão 9.1.5 ou posterior. Para versões do Splunk Enterprise anteriores à 9.0.10, atualize para a versão 9.0.10 ou posterior. Para versões da Splunk Cloud Platform anteriores à 9.1.2312, atualize para a versão 9.1.2312 ou posterior. Como solução alternativa temporária, considere restringir o acesso ao endpoint REST `conf-web/settings` até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** Splunk IT Service Intelligence (ITSI) versions prior to 4.13.3 Splunk IT Service Intelligence (ITSI) versions prior to 4.15.3 Splunk IT Service Intelligence (ITSI) versions prior to 4.17.1 **Description** A malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files. When a vulnerable terminal application reads these log files, it can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. **Recommendations** For versions prior to 4.13.3, update to version 4.13.3 or later. For versions prior to 4.15.3, update to version 4.15.3 or later. For versions prior to 4.17.1, update to version 4.17.1 or later. As a temporary workaround, consider avoiding the use of terminal applications that translate ANSI escape codes to read log files from Splunk ITSI until a patch is applied. Restrict access to log files and limit user interaction with potentially malicious files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Splunk SOAR versions prior to 6.1.0 **Description** The issue is related to the incorrect handling of log output, which can be exploited by sending a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. A third party can exploit this to potentially execute arbitrary code. **Recommendations** For versions prior to 6.1.0, update to version 6.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the terminal to minimize the risk of exploitation. Avoid using the terminal to view logs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.1.0.2 Splunk Enterprise versions prior to 9.0.5.1 Splunk Enterprise versions prior to 8.2.11.2 Universal Forwarder versions prior to 9.1.0.2 Universal Forwarder versions prior to 9.0.5.1 Universal Forwarder versions prior to 8.2.11.2 **Description** The issue is related to the improper handling of log output, allowing an attacker to inject American National Standards Institute (ANSI) escape codes into log files. When a vulnerable terminal application reads these logs, it can potentially lead to code execution in the application. This requires a user to use a terminal that supports ANSI escape code translation and to perform additional interactions to exploit. The vulnerability can be exploited through a specially crafted web URL or by sending a specially crafted HTTP request containing ANSI escape codes. **Recommendations** For Splunk Enterprise versions prior to 9.1.0.2, update to version 9.1.0.2 or later. For Splunk Enterprise versions prior to 9.0.5.1, update to version 9.0.5.1 or later. For Splunk Enterprise versions prior to 8.2.11.2, update to version 8.2.11.2 or later. For Universal Forwarder versions prior to 9.1.0.2, update to version 9.1.0.2 or later. For Universal Forwarder versions prior to 9.0.5.1, update to version 9.0.5.1 or later. For Universal Forwarder versions prior to 8.2.11.2, update to version 8.2.11.2 or later. As a temporary workaround, consider disabling the use of ANSI escape codes in log files until a patch is available. Restrict access to management services in Universal Forwarder to minimize the risk of exploitation.