In recent times, a security loophole has surfaced in Splunk, a prominent software used for searching, monitoring, and analyzing machine-generated big data. The vulnerability allows a low-privileged user, with an
edit_user role, to escalate their privileges to an admin level by crafting specific web requests. This not only exposes sensitive data but also opens doors for unauthorized control over the system.
Experts have flagged versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14 as susceptible. The exploit works by manipulating the
edit_user capability, enabling a malicious actor to change another user’s password, effectively hijacking that account. A script provided as proof of concept demonstrates the simplicity yet the significant impact of the exploit.
Solutions and Mitigations
Users are urged to upgrade to Splunk Enterprise versions 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, patches are being actively applied and monitored by Splunk. Additionally, ensuring that the
edit_user capability is only assigned to the admin role or its equivalent can serve as a mitigation measure.
8.1.0 to 8.1.13
8.2.0 to 8.2.10
9.0.0 to 9.0.4
Splunk Cloud Platform
9.0.2303 and below
Disclaimer: The code snippet provided is for educational purposes only. Misuse of this information for illegal activities is strictly prohibited.