Critical Splunk bug propagates code execution

Splunk is warning of a critical vulnerability which endangers any endpoint subscribed to a Splunk deployment server.

As the company explains here, Universal Forwarders are modules that collect client data in remote sources and forward the data to Splunk, and the deployment server pushes configuration data to the forwarders.

The bug has a critical on the Common Vulnerability Scoring System (a score of 9.0 in this case) because if an attacker compromises one Universal Forwarded (UF) endpoint in a Splunk deployment, they can push arbitrary code that will execute on all other UF endpoints subscribed to that deployment server.

In an enterprise deployment, that could amount to a compromise of thousands of endpoints.

America’s Centre for Internet Safety provides a technical explanation of CVE-2022-32158 here.

The vulnerability, CI Security explained, can deploy forwarder bundles to other clients through the deployment server.

“When a deployment server is used, it allows the creation of configuration bundles that can be automatically downloaded by Splunk Universal Forwarder (SUF) agents or other Splunk Enterprise instances such as heavy forwarders,” it said.

As well as plain text configuration files, the configuration bundles can include binary packages, “most commonly used for specific connectors”.

When fetched by the SUF, it will execute the binary, and by default, most SUF agents run with Windows SYSTEM privilege, the CI Security post explains.

Splunk has patched version 9.0 of its Enterprise deployment servers, but has not yet patched versions prior to 9.0. Rather, it recommends users of older versions upgrade to 9.0.

Only the deployment server needs the patch. The Splunk Cloud Platform doesn’t use deployment servers, and patching the SUFs doesn’t fix this bug. 

As this user explained on Splunk’s forums, deployment servers are only needed for pushing software out to SUFs - if the server isn’t currently in use, stopping it will block the vulnerability.