CVE-2017-18348 - Permissions, Privileges, and Access Control vulnerability in Splunk

Publication

2018-10-19

Last modification

2018-12-04

Summary

Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf and insert Trojan horse programs into $SPLUNK_HOME/bin, because the non-root setup instructions state that chown should be run across all of $SPLUNK_HOME to give non-root access.

Description

Splunk is prone to multiple local privilege escalation vulnerabilities. An attacker can exploit these issues to to execute arbitrary code with root privileges.

Solution

Updates are available. Please see the references or vendor advisory for more information.

Exploit

Currently, we are not aware of any working exploits.

Classification

CWE-264 - Permissions, Privileges, and Access Control

Risk level (CVSS AV:L/AC:M/Au:N/C:C/I:C/A:C)

Medium

6.9

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Splunk Splunk  6.6.7 , 6.6.5 , 6.6.3 , 6.6.9 , 6.6.2 , 6.6.10 , 6.6.4 , 6.6.11 , 6.6.6 , 6.6.1 , 6.6.8 , 6.6.0