Splunk calls bug bunk

By

No authentication allows attackers to upload malcode.

Splunk has poured cold water on a reported flaw within the free version of its forensic toolkit that allows attackers to upload and execute malware on user machines.

Splunk calls bug bunk

The flaw was reported by a security consultant in a feature that allows custom applications to be uploaded to the server. Those applications could for example be used to help search through large data repositories.

But access to the server does not require authentication in the free version, meaning anyone can upload data.

The attack took advantage of Splunk servers run as adminstrator, and could be mitigated if the server was run under a non-privelged account, or behind proxied authentication.

The consultant during a recent test managed to create and upload a malicious Python application to the server.

“Once the application is running you can execute the custom search ... when the search executed my shell started and I used Netcat to connect to it. This instance of Splunk was running as root - game over," the consultant wrote.

But Splunk's security team pointed out that the flaw was not applicable to its Enterprise License product.

"We do not consider this a vulnerability," the team said in a statement to SC Magazine. "It is well documented that Splunk Free does not include authentication, and to switch to Splunk Free
requires an explicit action on the part of an authorised Splunk administrator."

"Thank you for your report and your vigilance."

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise

Service NSW centralises security, networking in mammoth CloudOps overhaul

Service NSW centralises security, networking in mammoth CloudOps overhaul

VicRoads to phase out passwords in favour of passkeys

VicRoads to phase out passwords in favour of passkeys

Apple adds "mercenary spyware" protection to new A19 chip

Apple adds "mercenary spyware" protection to new A19 chip

Log In

  |  Forgot your password?