Splunk Endpoint Denial of Service DoS Zip Bomb

Try in Splunk Security Cloud

Description

This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2022-08-02
• Author: Marissa Bower, Rod Soto, Splunk
• ID: b237d393-2f57-4531-aad7-ad3c17c8b041

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1499	Endpoint Denial of Service	Impact

Kill Chain Phase

• Actions On Objectives

NIST

• DE.CM

CIS20

• CIS 10

CVE

ID	Summary	CVSS
CVE-2022-37439	In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file.	None

Search

`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary* 
|stats count by host component event_message 
| `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`

Macros

The SPL above uses the following Macros:

• splunkd

splunk_endpoint_denial_of_service_dos_zip_bomb_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• source
• component
• event_message
• host

How To Implement

Need to monitor Splunkd data from Universal Forwarders.

Known False Positives

This search may reveal non malicious zip files causing errors as well.

Associated Analytic Story

• Splunk Vulnerabilities

RBA

Risk Score	Impact	Confidence	Message
75.0	100	75	Potential exposure of environment variables from url embedded in dashboard

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://en.wikipedia.org/wiki/ZIP_(file_format)
• https://www.splunk.com/en_us/product-security.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1