Splunk Enterprise 7.0.0.1/7.0.1, 6.6.3.2/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilities

Table of Contents

Description

Splunk Enterprise 7.0.0.1/7.0.1, 6.6.3.2/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilities.

Please note, as of 2017-Nov-14, all affected Splunk Cloud customers have been updated.

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).

Affected Products and Components

  • Multiple SAML implementation vulnerabilities in Splunk Enterprise (CVE-2017-17067)
    • Affected Product Versions: Splunk Enterprise versions 7.0.x before 7.0.0.1/7.0.1, 6.6.x before 6.6.3.2/6.6.4, 6.5.x before 6.5.6, 6.4.x before 6.4.9, 6.3.x before 6.3.12. All Splunk cloud instances using SAML have been updated to 6.6.3.2.
    • Affected Components: All Splunk Enterprise components running Splunk Web with SAML authentication enabled.
    • Unaffected Components: Universal Forwarders and Splunk Enterprise instances where Splunk Web is disabled or not using SAML authentication.

    Mitigation and Upgrades

    1. Check if you are running one of the following Splunk Enterprise versions

    - 7.0.x before 7.0.0.1/7.0.1

    - 6.6.x before 6.6.3.2/6.6.4

    - 6.5.x before 6.5.6

    - 6.4.x before 6.4.9

    - 6.3.x before 6.3.12

    $SPLUNK_HOME/bin/splunk version

    2. Check if you have SAML login enabled.

    Linux:

    $SPLUNK_HOME/bin/splunk btool authentication list | grep authType

    Windows:

    $SPLUNK_HOME\bin\splunk btool authentication list | find "authType"

    If 'authType' contains the word 'SAML', then this indicates a vulnerable configuration of Splunk and should be patched immediately.

    For more information, see the SAML Troubleshooting documentation.

    To mitigate this issue, Splunk recommends upgrading to one of the latest releases and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.

    Vulnerability Descriptions and Ratings

    Multiple SAML implementation vulnerabilities in Splunk Enterprise (CVE-2017-17067)

    Description: Splunk Enterprise versions 7.0.x before 7.0.0.1/7.0.1, 6.6.x before 6.6.3.2/6.6.4, 6.5.x before 6.5.6, 6.4.x before 6.4.9, 6.3.x before 6.3.12 are vulnerable to multiple SAML vulnerabilities. The most severe of these vulnerabilities can permit an unauthenticated attacker access to a SAML-enabled Splunk Web or permit an authenticated user to impersonate another user or role.

    Credits: Splunk would like to thank Jacob Honoroff for reporting a portion of this issue.

    CVSS Severity (version 2.0):

    CVSS Base Score10.0
    CVSS Impact Subscore10.0
    CVSS Exploitability Subscore10.0
    Overall CVSS Score10.0