Vulnerability in example PAM authentication script - May 10th, 2010

Table of Contents

Splunk's example PAM authentication script could allow execution of arbitrary code if enabled

Splunk's "scripted authentication" feature allows customers to set up Splunk to interface with an authentication system that is already in place, such as PAM or RADIUS. Scripted authentication is not enabled by default, and is not functional if you are using Splunk's built-in or LDAP authentication.

This notification does not apply to you if you are using Splunk built-in or LDAP authentication. This notification only applies to you if you are using Splunk scripted authentication AND have implemented it using the example PAM authentication script (pamScripted.py).

Splunk versions 3.3-3.4.13, 4.0-4.0.10, and 4.1 shipped with example python scripts that were intended to demonstrate how to set up Splunk scripted authentication. The example PAM authentication script that shipped with Splunk (pamScripted.py) contained a vulnerability that would allow an attacker to run arbitrary code without authentication. Splunk version 3.4.14, 4.0.11, and 4.1.1-4.1.2 no longer ship with this example code.

This issue was discovered internally and remediated immediately. At the time of this announcement, Splunk is not aware of any instances that this vulnerability has been exploited.

We are aware of very few customers using Splunk scripted authentication, and even fewer that are using the unmodified example code. To protect this small number of customers, Splunk version 3.4.14, 4.0.11, and 4.1.2 will disable scripted authentication if the unmodified PAM example script is in use.

If you are using Splunk's example PAM authentication script on any Splunk servers, we recommend that you immediately switch to an alternative authentication method such as local Splunk or LDAP authentication. Splunk also recommends that you ensure that you have failsafe credentials for the alternative authentication method that you choose. Otherwise, you will need shell access to the Splunk server and the necessary local credentials to reset Splunk's local authentication.

If you have any questions about the information above, please contact Support.