RCE CVE-2023-46214

DanAlexander · ‎11-25-2023

Hello community,

Can anyone please help me understand if the newest vulnerability can exploit a pure on prem Splunk Enterprise clustered solution?

Can an arbitrary code be pushed remotely via any means?

Splunk documentation and advisory are not very clear and just saying SE but not mentioning anything about 1.5 DTI and non publicity connected SE instance.

Thank you.

richgalloway · ‎11-26-2023

That vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, which means it requires network access and credentials to exploit. If your Splunk is not accessible by outsiders then your vulnerability is lower. See https://advisory.splunk.com/advisories/SVD-2023-1104 for everything public about the vulnerability.

---
If this reply helps you, Karma would be appreciated.

DanAlexander · ‎11-26-2023

Hi, thanks for the reply @richgalloway

All you said make sense.

However, there are few scenarios where this statements might be out of order. Let me justify what I think.

Splunk SE accessible from outside? Do not think any on prem instance is designed to be remote accessable.

Anything can be reached vIa a switch (IP + port). All can of course be configured to restrict Internet to Intranet communication.

Not even considering insiders and how all even read only users handle queries they send to the SE switch URI etc.

I am sure the following will change our perspective of what this may cause if ignored as low severity: https://blog.hrncirik.net/cve-2023-46214-analysis

Attackers, attack as service plus AI capabilities makes it even harder for defenders to defend. We simply do not know what we do not know in most instances before they get announced as Zero days.

Thanks

RCE CVE-2023-46214

authentication

login

permissions

SAML

SSL

SSO

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!