Security Advisory Regarding Splunk Enterprise Deployment Servers

CVE-2022-32158 Details

Hurricane Labs is aware of the recent vulnerability in Splunk Enterprise deployment servers. The announcement was made by Splunk on 2022-06-14. 

Successful exploitation of this vulnerability could result in the compromise of a universal forwarder and the ability to leverage the deployment server. As such, this could result in the distribution of configuration changes to all other connected universal forwarders. 

Affected Products

All Splunk Enterprise deployment servers prior to versions 9.0 are vulnerable. Additionally, no patch or workarounds are currently available for older Splunk versions. The indication by Splunk is that they do not intend to port the fix for this issue to older versions of Splunk Enterprise. 

Known Attack Vectors

Splunk was not aware of any active exploitation of this vulnerability at the time of release. 

Should I be concerned?

This is a developing vulnerability. As such, it affects every Splunk Enterprise environment where a Deployment Server is used to manage Universal Forwarders. Due to these issues, Hurricane Labs is currently working to identify the best strategy to resolve this vulnerability while minimizing the risk of impact to our clients. 

Detection and mitigation

If you have concerns, here are the details and recommendations you should be aware of: 

Resolution

To remediate CVE-2022-32158, an upgrade to Splunk 9.0 on your deployment server is necessary. At the time of this writing (2022-06-14), there is no patch available for any supported versions of Splunk. Additionally, there are no plans to backport the fix to prior Splunk versions, including Splunk 8.2.x and older. 

Given that Splunk 9.0 is a brand new release (first available 2022-06-14), we understand that upgrading to this new version may not be the preference. As an alternative, access to the deployment server can be temporarily restricted–and only enabled when configuration updates are required. As such, this will reduce the available attack surface within your organization. 

Hurricane Labs’ action recommendations

Hurricane Labs recommends that you consider the following resolution options:

• Out of band upgrade of the deployment server to Splunk Enterprise 9.0.
  • This option is only a current recommendation if you have a standalone deployment server.
  • NB: Hurricane Labs has not yet performed extensive testing of the Splunk Enterprise 9.0 release. However, we have successfully performed limited testing of this version with several universal forwarders in our lab, production, and some client environments prior to the release of this advisory. 
  • We can perform a backup of the Splunk installation on the Deployment Server to facilitate the rollback of this system in the event that is a requirement.
    
• Temporarily disable access to the deployment server.
  • This option is only practical if you have a standalone deployment server.
  • Enable host firewall rules on the deployment server to limit management traffic to Splunk infrastructure only. Remove these host firewall rules on this instance only when making changes to forwarders or other deployment clients.
  • This option can be implemented by Hurricane Labs on the Hurricane Labs managed OS platform. On client-managed platforms, host firewall changes would need to be implemented by the client’s team. 
  • This workaround will impact the ability to reliably deploy configuration changes to universal forwarders when the deployment server is offline. 

References

• Splunk Enterprise deployment servers allow client publishing of forwarder bundles via Splunk Product Security