![]() ![]() Another consequence could be an access violation exception due to a page fault, which terminates the entire splunkd service and therefore, causes a denial-of-service condition. Using a carefully crafted exploit, an attacker could read sensitive information from the splunkd process memory, and leak it into the Splunk data. Demonstrating how a specially crafted malicious S2S v3 packet could trigger CVE-2021-3422 and leak process memory data. The result is an out-of-bounds (OOB) read vulnerability in the parsing flow of this field that allows an attacker to control the offset to the value that will be dereferenced. Team82 discovered that Splunk does not verify the values of field_enum_dynamic variable type, therefore attackers can build a specifically crafted event with an arbitrary key field type value. One of the keys is a field that supports a dynamic variable type (aka field_enum_dynamic), which acts as an index and allows the forwarder to send a numeric key field that will be dynamically translated to the required string on the server side, similar to an enumerated type behavior. ![]() The new S2S protocol (v3) implementation supports different key-value types including numbers, strings, and more. Finally, the event can be constructed and sent to the indexer to be handled. Next, depending on the protocol flavor and version, the forwarder would need to communicate the supported capabilities and/or register a channel to deliver the event. In order to send an event (a single piece of data in Splunk), the forwarder would need to initiate a TCP conversation and send a unique signature that includes the protocol version. Tagging of metadata (source, source type, and host)įorwarders communicate with indexers via a special protocol called S2S (Splunk-to-Splunk), which is available in multiple versions, each with different capabilities such as data compression, tagging of metadata, and more. Splunk Indexer and Forwarder architecture (Source: Splunk documentation)įorwarders are more robust than raw network feeds for data forwarding, with capabilities across different versions such as: Forwarders require minimal resources and have little impact on performance, so the forwarder usually resides on the machine where the data originates. It is the main server receiving data from another architectural component called a forwarder, which forwards data to instances such as indexer, usually over TCP port 9997. Splunk Indexers and Forwarders Key ComponentsĪ main component of Splunk Enterprise is an indexer, which handles parsing and indexing of data. Splunk's security advisory can be found here. Users are advised to update their respective instances of Splunk Enterprise to current versions to remediate the vulnerability. Splunk has patched CVE-2021-3422, and today disclosed some additional details about the issue. ![]() Our work uncovered a vulnerability that could be triggered by an attacker to possibly leak memory or cause denial-of-service conditions, leaving organizations blind to events and incidents the software would normally alert to. As more companies converge OT under IT management, Team82 decided to research key Splunk Enterprise components. Splunk is market leader in IT operations management and analysis, and large enterprises worldwide rely on it to consume information and build intelligence around security events and gain insight into vulnerabilities. That information is indexed and correlated in such a way that it is searchable and can be used to generate alerts and other reporting. Splunk Enterprise is a platform that allows users to analyze, search, and visualize machine-generated data coming from various sources including websites, applications, OT and IoT sensors, devices, and more. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |