CVE-2023-32712

Published Jun 1, 2023

Last updated 4 months ago

Overview

Description
In Splunk Enterprise versions below 9.1.0.2, 9.0.5.1, and 8.2.11.2, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 9.1.0.1, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine.
Source
prodsec@splunk.com
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
3.1
Impact score
1.4
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity
LOW

Weaknesses

nvd@nist.gov
CWE-116
prodsec@splunk.com
CWE-117
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-117

Social media

Hype score
Not currently trending

Configurations