Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.12 / 6.3.8 / 6.4.4 or Splunk Light < 6.5.0 Multiple Vulnerabilities

Critical Nessus Plugin ID 94932

Synopsis

An application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x prior to 5.0.17, 6.0.x prior to 6.0.13, 6.1.x prior to 6.1.12, 6.2.x prior to 6.2.12, 6.3.x prior to 6.3.8, or 6.4.x prior to 6.4.4; or else it is Splunk Light prior to 6.5.0. It is, therefore, affected by multiple vulnerabilities :

- A heap buffer overflow condition exists in Python, specifically in the get_data() function within file Modules/zipimport.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via negative data size values, to cause a denial of service condition or the possible execution of arbitrary code. (CVE-2016-5636)

- A CRLF injection vulnerability exists in Python, specifically in the HTTPConnection.putheader() function within file Modules/zipimport.c. An unauthenticated, remote attacker can exploit this to inject arbitrary HTTP headers via CRLF sequences in a URL, allowing cross-site scripting (XSS) and other attacks.
(CVE-2016-5699)

- A flaw exists in Python within the smtplib library due to a failure to properly raise exceptions when smtp servers are able to negotiate starttls but fail to respond properly. A man-in-the-middle attacker can exploit this issue to bypass TLS protections via a 'StartTLS stripping attack.' (CVE-2016-0772)

- An HTTP request injection vulnerability exists in Splunk that permits leakage of authentication tokens. An unauthenticated, remote attacker can exploit this to access the Splunk REST API with the same rights as the user.

Note that the Python vulnerabilities stated above do not affect the Splunk Enterprise 6.4.x versions, and the HTTP request injection vulnerability does not affect the Splunk Light versions.

Solution

Upgrade Splunk Enterprise to version 5.0.17 / 6.0.13 / 6.1.12 / 6.2.12 / 6.3.8 / 6.4.4 or later, or Splunk Light to version 6.5.0 or later.

See Also

https://www.splunk.com/view/SP-CAAAPSR

Plugin Details

Severity: Critical

ID: 94932

File Name: splunk_650.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 2016/11/17

Updated: 2019/01/02

Dependencies: 49069, 47619

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:splunk:splunk

Exploit Available: false

Exploit Ease: No exploit is required

Patch Publication Date: 2016/11/10

Vulnerability Publication Date: 2014/11/24

Reference Information

CVE: CVE-2016-5636, CVE-2016-5699, CVE-2016-0772

BID: 91225, 91226, 91247