Security Advisory Regarding Splunk Enterprise Deployment Servers

CVE-2022-32158 Details

Hurricane Labs is aware of the recent vulnerability involving Splunk Enterprise deployment servers. This vulnerability was announced by Splunk on 2022-06-14. 

Successful exploitation of this vulnerability could result in a compromised universal forwarder being able to leverage the deployment server to distribute configuration changes to all other universal forwarders connected to the deployment server. 

Affected Products

All Splunk Enterprise deployment servers prior to versions 9.0 are vulnerable. No patch or workarounds are currently available for older Splunk versions. Splunk has indicated that they do not intend to port the fix for this issue to older versions of Splunk Enterprise. 

Known Attack Vectors

At the time of the release of the vulnerability, Splunk is not aware of any active exploitation of this vulnerability. 

Should I be concerned?

This is a developing vulnerability that affects every Splunk Enterprise environment where a Deployment Server is used to manage Universal Forwarders. Hurricane Labs is currently working to identify the best strategy to resolve this vulnerability while minimizing the risk of impact to our clients. 

Detection and mitigation

If you are concerned and want to make sure that your organization is protected against this issue, here are some details you should be aware of as well as actions we can take: 

Resolution

To remediate CVE-2022-32158, an upgrade to Splunk 9.0 on your deployment server is required. At the time of this writing (2022-06-14), there is no patch available for any supported versions of Splunk, and there are no plans to backport the fix to prior Splunk versions, including Splunk 8.2.x and older. 

Given that Splunk 9.0 is a brand new release (first available 2022-06-14), we understand that upgrading to this new version may not be the preferred option. As an alternative, access to the deployment server can be temporarily restricted (and only enabled when configuration updates are required) in order to reduce the available attack surface within your organization. 

Hurricane Labs’ recommended actions

Hurricane Labs recommends that you consider the following options for resolution of this issue:

• Out of band upgrade of the deployment server to Splunk Enterprise 9.0.
  • This option is only currently recommended if you have a standalone deployment server.
  • NB: Hurricane Labs has not yet performed extensive testing of the Splunk Enterprise 9.0 release at this time. We have successfully performed limited testing of this version with several universal forwarders in our lab, production, and some client environments prior to the release of this advisory to all clients. 
  • We can perform a backup of the Splunk installation on the Deployment Server to facilitate the rollback of this system in the event it is required.
    
• Temporarily disable access to the deployment server.
  • This option is only practical if you have a standalone deployment server.
  • Enable host firewall rules on the deployment server to limit management traffic to Splunk infrastructure only. Remove these host firewall rules on this instance only when making changes to forwarders or other deployment clients.
  • This option can be implemented by Hurricane Labs on the Hurricane Labs managed OS platform. On client-managed platforms, host firewall changes would need to be implemented by the client’s team. 
  • This workaround will impact the ability to reliably deploy configuration changes to universal forwarders when the deployment server is offline. 

References

• Splunk Enterprise deployment servers allow client publishing of forwarder bundles via Splunk Product Security