Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root user

Advisory ID: SP-CAAAP3M

CVE ID: -

Published: 2017-11-27

Last Update: 2017-11-27

CVSSv3.1 Score: -, High

CVSSv3.1 Vector: -

CWE: -

Bug ID: -

Description

Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root user

  • Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).

Affected Products and Components

Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)

Affected Components

Splunk Enterprise, Splunk Light, Splunk Universal Forwarder.

Mitigation and Upgrades

In order to prevent escalation, Splunk recommends not to execute Splunk startup / run control scripts as the root user, where able.

For further details, please follow the updated “Enable boot-start as a non-root user” documentation in the Splunk Admin Manual as are relevant to your environment.

Locations of Affected Files

  • Redhat Linux - /etc/rc.d/init.d/splunk
  • HPUX - /etc/rc.config.d/splunk
  • AIX - Not impacted as boot-start passes user path to mksys command
  • Solaris /etc/init.d/splunk

Vulnerability Descriptions and Ratings

Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)

Description

Specific configurations that have Splunk Enterprise, Splunk Light, or a Splunk Universal Forwarder running as non-root that match all the following characteristics

  1. Splunk Enterprise, Splunk Light, or the Universal Forwarder are running as non-root user.
  2. $SPLUNK_HOME and $SPLUNK_HOME/etc both are owned by the running splunk user.
  3. Satisfied one of the following conditions
    a. A Splunk init script created via $SPLUNK_HOME/bin/splunk enable boot-start –user on Splunk 6.1.x or later. b. A line with SPLUNK_OS_USER= exists in $SPLUNK_HOME/etc/splunk-launch.conf

The above specific configurations of Splunk Enterprise, Splunk Light and Universal Forwarders, are vulnerable to the Splunk Administrator being able to induce code execution as root.

Credits

Splunk would like to thank Hank Leininger (KoreLogic) for reporting this issue.

CVSS Severity (version 2.0)

CVSS Base Score 8.5
CVSS Impact Subscore 10.0
CVSS Exploitability Subscore 6.8
Overall CVSS Score 8.5

Document History

  • 2017-Oct-27: Rev 1. Initial Release