topic Re: Can you clarify Vulnerability report SPL-144192? in Splunk Search

Can you clarify Vulnerability report SPL-144192?

chriswilkes33 — Thu, 30 Nov 2017 21:23:41 GMT

Vulnerability report SPL-144192 seems to have contradicting data in it. It begins by talking about being vulnerable to this specific thing when running init or control scripts as a root user, but later in the report it mentions some specific conditions you must meet to be vulnerable, the first being run init scripts as non-root user.

Soooo...which is it?

How do I know if I'm vulnerable with such contradictory information?

I don't have enough karma points to post links apparently, even to splunks own web servers, but Ive attempted below to post a link in case it lets me...

splunk.com/view/SP-CAAAP3M#MitigationandUpgrades

Re: Can you clarify Vulnerability report SPL-144192?

harsmarvania57 — Tue, 29 Sep 2020 16:59:55 GMT

Hi @chriswilkes33,

Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk user, command or configuration might change for different version of OS. 😛

After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>

So /etc/init.d/splunk script includes command like for start, stop, restart and status

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user at that start, stop, restart and status command looke like below

  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

Now whether you are affected or not, you need to check 2 things

If $SPLUNK_HOME/etc/splunk-launch.conf contains SPLUNK_OS_USER=<user> line

And you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user, which contains command as below

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

If you satisfy both the condition then you are affected.
Mitigation is you need to change those command to look like this

su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

I hope this clears.

Thanks,
Harshil

Re: Can you clarify Vulnerability report SPL-144192?

DATEVeG — Mon, 04 Dec 2017 08:31:58 GMT

Thanks! That sounds reasonable.

Will there be a proper solution by splunk for this problem?

Re: Can you clarify Vulnerability report SPL-144192?

harsmarvania57 — Mon, 04 Dec 2017 08:41:14 GMT

As of now splunk suggested to update /etc/init.d/splunk as per answer given by me.

Re: Can you clarify Vulnerability report SPL-144192?

chriswilkes33 — Mon, 04 Dec 2017 14:35:54 GMT

Thanks for the explanation. Makes sense.