Splunk DoS Using Malformed SAML Request
Description
In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language SAML request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang.
- Type: Hunting
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-09-05
- Author: Rod Soto
- ID: 8e8a86d5-f323-4567-95be-8e817e2baee6
Annotations
Kill Chain Phase
- Actions On Objectives
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`splunkd` event_message=*error* expr=*xpointer*
| stats count min(_time) as firstTime max(_time) as lastTime by component expr splunk_server event_message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_dos_using_malformed_saml_request_filter`
Macros
The SPL above uses the following Macros:
splunk_dos_using_malformed_saml_request_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- component
- expr
- host
- event_message
How To Implement
To run this search, you must have access to the _internal index.
Known False Positives
This search will show false positives. The analyst must look for errors and a pointer indicating a malicious file.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 15.0 | 50 | 30 | Possible DoS attack against Splunk Server $splunk_server$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1