Try in Splunk Security Cloud

Description

Keeping your Splunk deployment up to date is critical and may help you reduce the risk of CVE-2016-4859, an open-redirection vulnerability within some older versions of Splunk Enterprise. The detection search will help ensure that users are being properly authenticated and not being redirected to malicious domains.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2017-09-19
  • Author: Bhavin Patel, Splunk
  • ID: 4e692b96-de2d-4bd1-9105-37e2368a8db1

Narrative

This Analytic Story is associated with CVE-2016-4859, an open-redirect vulnerability in the following versions of Splunk Enterprise:
\

  1. Splunk Enterprise 6.4.x, prior to 6.4.3\
  2. Splunk Enterprise 6.3.x, prior to 6.3.6\
  3. Splunk Enterprise 6.2.x, prior to 6.2.10\
  4. Splunk Enterprise 6.1.x, prior to 6.1.11\
  5. Splunk Enterprise 6.0.x, prior to 6.0.12\
  6. Splunk Enterprise 5.0.x, prior to 5.0.16\
  7. Splunk Light, prior to 6.4.3CVE-2016-4859 allows attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. (Credit: Noriaki Iwasaki, Cyber Defense Institute, Inc.).
    It is important to ensure that your Splunk deployment is being kept up to date and is properly configured. This detection search allows analysts to monitor internal logs to ensure users are properly authenticated and cannot be redirected to any malicious third-party websites.

Detections

Name Technique Type
Open Redirect in Splunk Web None TTP

Reference

source | version: 1