KL-001-2017-022 : Splunk Local Privilege Escalation

Title: Splunk Local Privilege Escalation
Advisory ID: KL-001-2017-022
Publication Date: 2017.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-022.txt


1. Vulnerability Details

     Affected Vendor: Splunk
     Affected Product: Splunk Enterprise
     Affected Version: 6.6.x
     Platform: Embedded Linux
     CWE Classification: CWE-280: Improper Handling of Insufficient
                         Permissions or Privileges
     Impact: Privilege Escalation
     Attack vector: Local

2. Vulnerability Description

     Splunk can be configured to run as a non-root user.  However,
     that user owns the configuration file that specifies the user
     to run as, so it can trivially gain root privileges.

3. Technical Description

     Splunk runs multiple daemons and network listeners as root
     by default.  It can be configured to drop privileges to a
     specified non-root user at startup such as user splunk, via
     the SPLUNK_OS_USER variable in the splunk-launch.conf file in
     $SPLUNK_HOME/etc/ (such as /opt/splunk/etc/splunk-launch.conf).

     However, the instructions for enabling such a setup call
     for chown'ing the entire $SPLUNK_HOME directory to that same
     non-root user.  For instance:

       http://docs.splunk.com/Documentation/Splunk/6.6.2/Installation/RunSplunkasadifferentornon-rootuser

       "4. Run the chown command to change the ownership of the splunk
        directory and everything under it to the user that you want
        to run the software.

          chown -R splunk:splunk $SPLUNK_HOME"

     Therefore, if an attacker gains control of the splunk account,
     they can modify $SPLUNK_HOME/etc/splunk-launch.conf to
     remove/unset SPLUNK_OS_USER so that the software will retain
     root privileges, and place backdoors under $SPLUNK_HOME/bin/,
     etc. that will take malicious actions as user root the next
     time Splunk is restarted.

4. Mitigation and Remediation Recommendation

     The vendor has published a mitigation for this vulnerability
     at: https://www.splunk.com/view/SP-CAAAP3M

5. Credit

     This vulnerability was discovered by Hank Leininger of
     KoreLogic, Inc.

6. Disclosure Timeline

     2017.08.17 - KoreLogic submits vulnerability details to Splunk.
     2017.08.17 - Splunk confirms receipt.
     2017.08.22 - Splunk notifies KoreLogic that the issue has been
                  assigned an internal ticket and will be addressed.
     2017.09.29 - 30 business days have elapsed since the vulnerability
                  was reported to Splunk.
     2017.10.17 - KoreLogic requests an update from Splunk.
     2017.10.18 - Splunk informs KoreLogic that they will issue an advisory
                  on October 28th.
     2017.10.23 - 45 business days have elapsed since the vulnerability
                  was reported to Splunk.
     2017.10.30 - Splunk notifies KoreLogic that the advisory is published.
     2017.11.03 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt