Splunk calls bug bunk

By on
Splunk calls bug bunk

No authentication allows attackers to upload malcode.

Splunk has poured cold water on a reported flaw within the free version of its forensic toolkit that allows attackers to upload and execute malware on user machines.

The flaw was reported by a security consultant in a feature that allows custom applications to be uploaded to the server. Those applications could for example be used to help search through large data repositories.

But access to the server does not require authentication in the free version, meaning anyone can upload data.

The attack took advantage of Splunk servers run as adminstrator, and could be mitigated if the server was run under a non-privelged account, or behind proxied authentication.

The consultant during a recent test managed to create and upload a malicious Python application to the server.

“Once the application is running you can execute the custom search ... when the search executed my shell started and I used Netcat to connect to it. This instance of Splunk was running as root - game over," the consultant wrote.

But Splunk's security team pointed out that the flaw was not applicable to its Enterprise License product.

"We do not consider this a vulnerability," the team said in a statement to SC Magazine. "It is well documented that Splunk Free does not include authentication, and to switch to Splunk Free
requires an explicit action on the part of an authorised Splunk administrator."

"Thank you for your report and your vigilance."

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?