Splunk Enterprise < 5.0.15 / 6.0.11 / 6.1.10 / 6.2.9 / 6.3.3.4 or Splunk Light < 6.2.9 / 6.3.3.4 Multiple Vulnerabilities (DROWN)

critical Nessus Plugin ID 90705

Synopsis

The remote web server is running an application that is affected by multiple vulnerabilities.

Description

According to its version number, the instance of Splunk hosted on the remote web server is Enterprise 5.0.x prior to 5.0.15, 6.0.x prior to 6.0.11, 6.1.x prior to 6.1.10, 6.2.x prior to 6.2.9, 6.3.x prior to 6.3.3.4, Light 6.2.x prior to 6.2.9, or Light 6.3.x prior to 6.3.3.4.
It is, therefore, affected by the following vulnerabilities :

- A type confusion error exists in the bundled version of libxslt in the xsltStylePreCompute() function due to improper handling of invalid values. A context-dependent attacker can exploit this, via crafted XML files, to cause a denial of service condition. (CVE-2015-7995)

- A key disclosure vulnerability exists in the bundled version of OpenSSL due to improper handling of cache-bank conflicts on the Intel Sandy-bridge microarchitecture. An attacker can exploit this to gain access to RSA key information. (CVE-2016-0702)

- A double-free error exists in the bundled version of OpenSSL due to improper validation of user-supplied input when parsing malformed DSA private keys. A remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-0705)

- A NULL pointer dereference flaw exists in the bundled version of OpenSSL in the BN_hex2bn() and BN_dec2bn() functions. A remote attacker can exploit this to trigger a heap corruption, resulting in the execution of arbitrary code. (CVE-2016-0797)

- A denial of service vulnerability exists in the bundled version of OpenSSL due to improper handling of invalid usernames. A remote attacker can exploit this, via a specially crafted username, to leak 300 bytes of memory per connection, exhausting available memory resources.
(CVE-2016-0798)

- Multiple memory corruption issues exist in the bundled version of OpenSSL that allow a remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0799)

- A flaw exists in the bundled version of OpenSSL that allows a cross-protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). This vulnerability exists due to a flaw in the Secure Sockets Layer Version 2 (SSLv2) implementation, and it allows captured TLS traffic to be decrypted. A man-in-the-middle attacker can exploit this to decrypt the TLS connection by utilizing previously captured traffic and weak cryptography along with a series of specially crafted connections to an SSLv2 server that uses the same private key. (CVE-2016-0800)

- A flaw exists due to improper handling of specially crafted HTTP requests that contain specific headers. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A flaw exists due to improper handling of malformed HTTP requests. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

- A flaw exists that is triggered when directly accessing objects. An authenticated, remote attacker can exploit this to disclose search logs.

- A flaw exists due to the failure to honor the sslVersions keyword for TLS protocol versions, preventing users from enforcing TLS policies.

- A path traversal vulnerability exists in the 'collect' command due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code arbitrary code with the privileges of the user running the splunkd process.

- A path traversal vulnerability exists in the 'inputcsv' and 'outputcsv' commands due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted request, to can access or overwrite file paths.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Splunk Enterprise 5.0.15 / 6.0.11 / 6.1.10 / 6.2.9 / 6.3.3.4 or later, or Splunk Light 6.2.9 / 6.3.3.4 or later.

See Also

https://www.splunk.com/view/SP-CAAAPKV

https://drownattack.com/

https://www.drownattack.com/drown-attack-paper.pdf

https://www.openssl.org/news/secadv/20160301.txt

Plugin Details

Severity: Critical

ID: 90705

File Name: splunk_6334.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 4/25/2016

Updated: 11/20/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-0799

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:splunk:splunk, cpe:/a:openssl:openssl

Required KB Items: installed_sw/Splunk

Exploit Ease: No exploit is required

Patch Publication Date: 4/6/2016

Vulnerability Publication Date: 2/24/2016

Reference Information

CVE: CVE-2015-7995, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800

BID: 77325, 83705, 83733, 83754, 83755, 83763

CERT: 583776