Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root user

Table of Contents

Description

Splunk response to Potential Local Privilege Escalation through instructions to run Splunk as non-root user

At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).

Affected Products and Components

  • Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)
    • Affected Components: Splunk Enterprise, Splunk Light, Splunk Universal Forwarder.

    Mitigation and Upgrades

    In order to prevent escalation, Splunk recommends not to execute Splunk startup / run control scripts as the root user, where able.

    For further details, please follow the updated "Enable boot-start as a non-root user" documentation in the Splunk Admin Manual as are relevant to your environment.

    Locations of Affected Files

    •  Redhat Linux - /etc/rc.d/init.d/splunk

    •  HPUX - /etc/rc.config.d/splunk

    •  AIX - Not impacted as boot-start passes user path to mksys command

    •  Solaris /etc/init.d/splunk

    Vulnerability Descriptions and Ratings

    Potential Local Privilege Escalation through instructions to run Splunk as non-root user (SPL-144192)

    Description: Specific configurations that have Splunk Enterprise, Splunk Light, or a Splunk Universal Forwarder running as non-root that match all the following characteristics:

    1. Splunk Enterprise, Splunk Light, or the Universal Forwarder are running as non-root user.

    2. $SPLUNK_HOME and $SPLUNK_HOME/etc both are owned by the running splunk user.

    3. Satisfied one of the following conditions

        a. A Splunk init script created via $SPLUNK_HOME/bin/splunk enable boot-start –user <user> on Splunk 6.1.x or later.

        b. A line with SPLUNK_OS_USER=<user> exists in $SPLUNK_HOME/etc/splunk-launch.conf

    The above specific configurations of Splunk Enterprise, Splunk Light and Universal Forwarders, are vulnerable to the Splunk Administrator being able to induce code execution as root.

    Credits: Splunk would like to thank Hank Leininger (KoreLogic) for reporting this issue.

    CVSS Severity (version 2.0):

    CVSS Base Score8.5
    CVSS Impact Subscore10.0
    CVSS Exploitability Subscore6.8
    Overall CVSS Score8.5