An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server.
- Type: Hunting
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-07-13
- Author: Rod Soto
- ID: de3908dc-1298-446d-84b9-fa81d37e959b
Kill Chain Phase
- CIS 10
| ID | Summary | CVSS | | ———– | ———– | ————– | | CVE-2023-32712 | In Splunk Enterprise versions below 18.104.22.168, 22.214.171.124, and 126.96.36.199, an attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files that, when a vulnerable terminal application reads them, can potentially, at worst, result in possible code execution in the vulnerable application. This attack requires a user to use a terminal application that supports the translation of ANSI escape codes to read the malicious log file locally in the vulnerable terminal, and to perform additional user interaction to exploit. Universal Forwarder versions 188.8.131.52, 9.0.5, 8.2.11, and lower can be vulnerable in situations where they have management services active and accessible over the network. Universal Forwarder versions 9.0.x and 9.1.x bind management services to the local machine and are not vulnerable in this specific configuration. See SVD-2022-0605 for more information. Universal Forwarder versions 9.1 use Unix Domain Sockets (UDS) for communication, which further reduces the potential attack surface. The vulnerability does not directly affect Splunk Enterprise or Universal Forwarder. The indirect impact on Splunk Enterprise and Universal Forwarder can vary significantly depending on the permissions in the vulnerable terminal application and where and how the user reads the malicious log file. For example, users can copy the malicious file from the Splunk Enterprise instance and read it on their local machine. | None |
1 2 3 `splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`
The SPL above uses the following Macros:
splunk_unauthenticated_log_injection_web_service_log_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index.
Known False Positives
This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters.
Associated Analytic Story
|9.0||30||30||Possible Splunk unauthenticated log injection web service log exploitation attempt against $host$ from $clientip$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1