Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.13 / 6.3.9 / 6.4.5 / 6.5.2 or Splunk Light < 6.5.2 Multiple Vulnerabilities

high Nessus Plugin ID 97100
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

An application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x prior to 5.0.17, 6.0.x prior to 6.0.13, 6.1.x prior to 6.1.12, 6.2.x prior to 6.2.13, 6.3.x prior to 6.3.9, 6.4.x prior to 6.4.5, or 6.5.x prior to 6.5.2;
or else it is Splunk Light prior to 6.5.2. It is, therefore, affected by multiple vulnerabilities :

- A security bypass vulnerability exists in the libarchive component due to a failure to properly check hardlinks that contain payload data. An unauthenticated, remote attacker can exploit this to bypass sandbox restrictions. (CVE-2016-5418)

- An out-of-bounds write error exists in the libarchive component in the get_line_size() function in archive_read_support_format_mtree.c that is triggered when parsing lines. An unauthenticated, remote attacker can exploit this to crash the library or disclose memory contents. (CVE-2016-8688)

- An information disclosure vulnerability exists in Splunk Light due to various system information being assigned to the global window property '$C' when a request is made to '/en-US/config?autoload=1'. An unauthenticated, remote attacker attacker can exploit this, via a specially crafted web page, to disclose sensitive information. (CVE-2017-5607)

- A denial of service vulnerability exists in the Splunk Web component due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted GET request, to crash the daemon. (CVE-2017-5880)

- A flaw exists in the libarchive component in the check_symlinks() function in archive_write_disk_posix.c that is triggered during the handling of subdirectories.
An unauthenticated, remote attacker can exploit this to overwrite arbitrary files.

- A flaw exists in the libarchive component in the edit_deep_directories() function due to symlink checks and deep-directory support failing to properly handle overly long pathnames. An unauthenticated, remote attacker can exploit this to overwrite arbitrary files.

- A flaw exists in the libarchive component in the check_symlinks() function that is due to an overly aggressive cached path handling mechanism. An unauthenticated, remote attacker can exploit this to make changes to the permissions of arbitrary directories.

- An out-of-bounds write error exists in the libarchive component in the bsdtar_expand_char() function in util.c due to improper handling of crafted archives. An unauthenticated, remote attacker can exploit this, by convincing a user to open or load a specially crafted archive, to execute arbitrary code.

- A stored cross-site scripting (XSS) vulnerability exists due to improper validation of input before returning it to users. An authenticated, remote attacker who has administrative access can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.

- A stored cross-site scripting (XSS) vulnerability exists in Splunk Light within the web interface due to improper validation of unspecified input before returning to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.

Note that the vulnerabilities in the libarchive component do not affect Splunk Enterprise 6.5.1 or Splunk Light 6.5.1.

Solution

Upgrade to Splunk Enterprise version 5.0.17 / 6.0.13 / 6.1.12 / 6.2.13 / 6.3.9 / 6.4.5 / 6.5.2 or later. Upgrade Splunk Light to version 6.5.2 or later.

See Also

https://www.splunk.com/view/SP-CAAAPW8

https://www.splunk.com/view/SP-CAAAPYC

https://www.splunk.com/view/SP-CAAAPZ3

Plugin Details

Severity: High

ID: 97100

File Name: splunk_652.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 2/10/2017

Updated: 11/13/2019

Dependencies: splunkd_detect.nasl, splunk_web_detect.nasl

Risk Information

CVSS Score Source: CVE-2016-5418

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:splunk:splunk

Required KB Items: installed_sw/Splunk

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 1/25/2017

Vulnerability Publication Date: 5/17/2016

Reference Information

CVE: CVE-2016-5418, CVE-2016-8688, CVE-2017-5607, CVE-2017-5880

BID: 93165, 93781, 95804, 97265, 97286