Skip to main content
Security Advisory

Splunk Local Privilege Escalation

Advisory ID
KL-001-2017-022
Published
2017-11-03
Vendor
Splunk

Affected Systems

Product
Splunk Enterprise
Version
6.6.x
Platform
Embedded Linux

Discovered By

Hank Leininger (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Splunk
Affected Product: Splunk Enterprise
Affected Version: 6.6.x
Platform: Embedded Linux
CWE Classification: CWE-280: Improper Handling of Insufficient Permissions or Privileges
Impact: Privilege Escalation
Attack Vector: Local

Vulnerability Description

Splunk can be configured to run as a non-root user. However, that user owns the configuration file that specifies the user to run as, so it can trivially gain root privileges.

Technical Description

Splunk runs multiple daemons and network listeners as root by default. It can be configured to drop privileges to a specified non-root user at startup such as user splunk, via the SPLUNK_OS_USER variable in the splunk-launch.conf file in $SPLUNK_HOME/etc/ (such as /opt/splunk/etc/splunk-launch.conf).

However, the instructions for enabling such a setup call for chown’ing the entire $SPLUNK_HOME directory to that same non-root user. For instance:

http://docs.splunk.com/Documentation/Splunk/6.6.2/Installation/RunSplunkasadifferentornon-rootuser

“4. Run the chown command to change the ownership of the splunk directory and everything under it to the user that you want to run the software.

     chown -R splunk:splunk $SPLUNK_HOME"

Therefore, if an attacker gains control of the splunk account, they can modify $SPLUNK_HOME/etc/splunk-launch.conf to remove/unset SPLUNK_OS_USER so that the software will retain root privileges, and place backdoors under $SPLUNK_HOME/bin/, etc. that will take malicious actions as user root the next time Splunk is restarted.

Mitigation and Remediation Recommendation

The vendor has published a mitigation for this vulnerability at: https://www.splunk.com/view/SP-CAAAP3M

Credit

This vulnerability was discovered by Hank Leininger of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Disclosure Timeline

KoreLogic submits vulnerability details to Splunk.

Splunk confirms receipt.

Splunk notifies KoreLogic that the issue has been assigned an internal ticket and will be addressed.

30 business days have elapsed since the vulnerability was reported to Splunk.

KoreLogic requests an update from Splunk.

Splunk informs KoreLogic that they will issue an advisory on October 28th.

45 business days have elapsed since the vulnerability was reported to Splunk.

Splunk notifies KoreLogic that the advisory is published.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt