CVE-2023-32707: A Dive into Splunk Vulnerability

In recent times, a security loophole has surfaced in Splunk, a prominent software used for searching, monitoring, and analyzing machine-generated big data. The vulnerability allows a low-privileged user, with an

edit_user

role, to escalate their privileges to an admin level by crafting specific web requests. This not only exposes sensitive data but also opens doors for unauthorized control over the system.Experts have flagged versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14 as susceptible. The exploit works by manipulating the

edit_user

capability, enabling a malicious actor to change another user’s password, effectively hijacking that account. A script provided as proof of concept demonstrates the simplicity yet the significant impact of the exploit.

Solutions and Mitigations

Users are urged to upgrade to Splunk Enterprise versions 9.0.5, 8.2.11, 8.1.14, or higher. For Splunk Cloud Platform, patches are being actively applied and monitored by Splunk. Additionally, ensuring that the

edit_user

capability is only assigned to the admin role or its equivalent can serve as a mitigation measure​​.

Product	Component	Affected Versions	Fixed Version
Splunk Enterprise	Splunk Web	8.1.0 to 8.1.13	8.1.14
Splunk Enterprise	Splunk Web	8.2.0 to 8.2.10	8.2.11
Splunk Enterprise	Splunk Web	9.0.0 to 9.0.4	9.0.5
Splunk Cloud Platform	Splunk Web	9.0.2303 and below	9.0.2303.100

References

• Exploit-DB:

  Splunk 9.0.5 - admin account take over

• Splunk Advisory:

  ‘edit_user’ Capability Privilege Escalation (SVD-2023-0602)

Disclaimer: The code snippet provided is for educational purposes only. Misuse of this information for illegal activities is strictly prohibited.