Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.13 / 6.3.9 / 6.4.5 / 6.5.2 or Splunk Light < 6.5.2 Multiple Vulnerabilities

Medium Nessus Plugin ID 97100

Synopsis

An application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x prior to 5.0.17, 6.0.x prior to 6.0.13, 6.1.x prior to 6.1.12, 6.2.x prior to 6.2.13, 6.3.x prior to 6.3.9, 6.4.x prior to 6.4.5, or 6.5.x prior to 6.5.2;
or else it is Splunk Light prior to 6.5.2. It is, therefore, affected by multiple vulnerabilities :

- A security bypass vulnerability exists in the libarchive component due to a failure to properly check hardlinks that contain payload data. An unauthenticated, remote attacker can exploit this to bypass sandbox restrictions. (CVE-2016-5418)

- An out-of-bounds write error exists in the libarchive component in the get_line_size() function in archive_read_support_format_mtree.c that is triggered when parsing lines. An unauthenticated, remote attacker can exploit this to crash the library or disclose memory contents. (CVE-2016-8688)

- An information disclosure vulnerability exists in Splunk Light due to various system information being assigned to the global window property '$C' when a request is made to '/en-US/config?autoload=1'. An unauthenticated, remote attacker attacker can exploit this, via a specially crafted web page, to disclose sensitive information. (CVE-2017-5607)

- A denial of service vulnerability exists in the Splunk Web component due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted GET request, to crash the daemon. (CVE-2017-5880)

- A flaw exists in the libarchive component in the check_symlinks() function in archive_write_disk_posix.c that is triggered during the handling of subdirectories.
An unauthenticated, remote attacker can exploit this to overwrite arbitrary files.

- A flaw exists in the libarchive component in the edit_deep_directories() function due to symlink checks and deep-directory support failing to properly handle overly long pathnames. An unauthenticated, remote attacker can exploit this to overwrite arbitrary files.

- A flaw exists in the libarchive component in the check_symlinks() function that is due to an overly aggressive cached path handling mechanism. An unauthenticated, remote attacker can exploit this to make changes to the permissions of arbitrary directories.

- An out-of-bounds write error exists in the libarchive component in the bsdtar_expand_char() function in util.c due to improper handling of crafted archives. An unauthenticated, remote attacker can exploit this, by convincing a user to open or load a specially crafted archive, to execute arbitrary code.

- A stored cross-site scripting (XSS) vulnerability exists due to improper validation of input before returning it to users. An authenticated, remote attacker who has administrative access can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.

- A stored cross-site scripting (XSS) vulnerability exists in Splunk Light within the web interface due to improper validation of unspecified input before returning to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.

Note that the vulnerabilities in the libarchive component do not affect Splunk Enterprise 6.5.1 or Splunk Light 6.5.1.

Solution

Upgrade to Splunk Enterprise version 5.0.17 / 6.0.13 / 6.1.12 / 6.2.13 / 6.3.9 / 6.4.5 / 6.5.2 or later. Upgrade Splunk Light to version 6.5.2 or later.

See Also

https://www.splunk.com/view/SP-CAAAPW8

https://www.splunk.com/view/SP-CAAAPYC

https://www.splunk.com/view/SP-CAAAPZ3

Plugin Details

Severity: Medium

ID: 97100

File Name: splunk_652.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 2017/02/10

Updated: 2019/11/13

Dependencies: 49069, 47619

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2016-5418

CVSS v2.0

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:splunk:splunk

Required KB Items: installed_sw/Splunk

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 2017/01/25

Vulnerability Publication Date: 2016/05/17

Reference Information

CVE: CVE-2016-5418, CVE-2016-8688, CVE-2017-5607, CVE-2017-5880

BID: 93165, 93781, 95804, 97265, 97286