topic Re: Sensitive Information disclosure ? Splunk 8.0.0 in Security

Splunk 8.0.0: Sensitive Information disclosure?

randre — Wed, 02 Dec 2020 04:18:30 GMT

I have got a pentest results with the following :

It was possible to access those endpoints unauthenticated :

https://x.x.x.x/en-US/config
https://x.x.x.x/en-GB/config
https://x.x.x.x/en-US/info
https://x.x.x.x/en-US/paths
https://x.x.x.x/en-us/lists
https://x.x.x.x/en-US/embed

Is it really a vulnerability ? They said that it's config data, not public data so it should not be visible.

How can we remove those endpoints from being reached unauthenticated ?

Re: Sensitive Information disclosure ? Splunk 8.0.0

richgalloway — Wed, 25 Nov 2020 13:43:41 GMT

Perhaps your firewall can be used to restrict access to those endpoints. They'll still be open, but the risk will be lower.

The acceptFrom attribute in server.conf may help limit access to the endpoints.

You can try setting requireAuthentication = true in restmap.conf, but I don't know if this will do what you want. Try it on a test system first.

Re: Sensitive Information disclosure ? Splunk 8.0.0

randre — Mon, 30 Nov 2020 08:31:32 GMT

Thanks

requireAuthentication defaults to true anyway so it should not fix my issue.

And I have to keep acceptFrom *

My problem is that I don't find documentation about those endpoints so I am not even sure it's a security issue.

Re: Sensitive Information disclosure ? Splunk 8.0.0

richgalloway — Mon, 30 Nov 2020 13:48:26 GMT

Try the endpoints yourself to see what they return. If you don't like what comes out then it's a security issue. 😀

Re: Sensitive Information disclosure ? Splunk 8.0.0

randre — Mon, 30 Nov 2020 14:03:08 GMT

Yeah I checked those and I am fine with them.

The problem is that according to a pentest, it publicly exposes config data.

So I now need to show that it is actually fine (but not finding docs for that is not helping) or I need to block those URLs.

Looks like it is not possible via configuration and I would really like not having to keep a set of rules on the network devices.

Re: Sensitive Information disclosure ? Splunk 8.0.0

richgalloway — Mon, 30 Nov 2020 15:01:06 GMT

The pentest is one opinion; yours is another. You know more about Splunk so your opinion should count for more. If you believe the information disclosed is not a problem then you should be able to convince your company to accept that over the pentest results.

The endpoints should be documented in the REST API manual, but that will detail the requests and responses. It won't say "this is not a vulnerability". It's up to you to make that decision.

Re: Sensitive Information disclosure ? Splunk 8.0.0

randre — Tue, 01 Dec 2020 21:48:45 GMT

Is it the REST API though ?

Like I said I was not able to find documentation about those endpoints.

Sounds silly but if you can find it that would great... (and would also be troublesome for me).

Re: Sensitive Information disclosure ? Splunk 8.0.0

richgalloway — Wed, 02 Dec 2020 13:53:07 GMT

I said it should be in the REST API manual, not that it is. If you find an endpoint that is not documented then consider submitting feedback on the API manual so it can be included.