Splunk Improperly Formatted Parameter Crashes splunkd

Try in Splunk Security Cloud

Description

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed.

• Type: TTP
• Product: Splunk Enterprise
• Datamodel: Endpoint
• Last Updated: 2023-02-14
• Author: Chase Franklin, Rod Soto, Splunk
• ID: 08978eca-caff-44c1-84dc-53f17def4e14

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1499	Endpoint Denial of Service	Impact

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 3
• CIS 5
• CIS 16

CVE

ID	Summary	CVSS
CVE-2023-22941	In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).	None

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search="*makeresults*"AND Search_Activity.search="*ingestpreview*transforms*") Search_Activity.search_type=adhoc Search_Activity.search!="*splunk_improperly_formatted_parameter_crashes_splunkd_filter*" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type 
| `drop_dm_object_name(Search_Activity)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_improperly_formatted_parameter_crashes_splunkd_filter`

Macros

The SPL above uses the following Macros:

• security_content_summariesonly
• security_content_ctime

splunk_improperly_formatted_parameter_crashes_splunkd_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• user
• count
• info

How To Implement

Requires access to audittrail and use of Splunk_Audit.Search_Activity datamodel.

Known False Positives

This is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.

Associated Analytic Story

• Splunk Vulnerabilities

RBA

Risk Score	Impact	Confidence	Message
100.0	100	100	An attempt to exploit ingest eval parameter was detected from $user$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.splunk.com/en_us/product-security.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499/splunk_improperly_formatted_ingest_eval_parameter_crashes_splunkd_data.log

source | version: 1