In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang.
- Type: Hunting
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-09-05
- Author: Rod Soto
- ID: 8e8a86d5-f323-4567-95be-8e817e2baee6
Kill Chain Phase
- Actions On Objectives
- CIS 10
1 2 3 4 5 `splunkd` event_message=*error* expr=*xpointer* | stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_dos_using_malformed_saml_request_filter`
The SPL above uses the following Macros:
splunk_dos_using_malformed_saml_request_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
To run this search, you must have access to the _internal index.
Known False Positives
This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file.
Associated Analytic Story
|15.0||50||30||Possible DoS attack against Splunk Server $splunk_server$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1