CVE-2017-18348

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions 6.6.x

Description: The issue allows local users to gain privileges by modifying the $SPLUNK HOME/etc/splunk-launch.conf file and inserting Trojan horse programs into $SPLUNK HOME/bin. This can occur when Splunk Enterprise is configured to run as root but drop privileges to a specific non-root account, and the non-root setup instructions are followed, which involves running chown across all of $SPLUNK HOME to give non-root access.

Recommendations: For Splunk Enterprise version 6.6.x, consider restricting access to the $SPLUNK HOME/etc/splunk-launch.conf file and $SPLUNK HOME/bin directory to prevent modification by non-root users. Additionally, review the non-root setup instructions to ensure they do not inadvertently introduce security risks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.