https://community.splunk.com/t5/Splunk-Search/Splunk-5-0-Vulnerability/m-p/74896#M181263 <P>I agree w/ Drainy here. The ability to run scripts from Splunk is a feature - those scripts will run under whatever operating system authority you start Splunk as. The ability to upload apps (which can contain scripts) is also a feature, and is only available to users who have authenticated to Splunk and have the proper access within Splunk. </P> <P>If your Splunk environment is properly configured and hardened, then your exposure to this vulnerability is limited to "how well can I trust my users with Splunk admin rights?"</P> <P>In a potentially hostile environment, many good practices apply, including:</P> <UL> <LI>Change the 'admin' password, and/or delete the 'admin' account</LI> <LI>Minimize the set of users with admin-equivalent access</LI> <LI>Don't run Splunkd or Splunkweb as root</LI> <LI>Firewall the Splunkd / Splunkweb TCP ports as appropriate</LI> <LI>Establish and enforce a change management policy for app installs / updates</LI> <LI>Use Splunk itself to search/alert upon logged events around app changes</LI> <LI>Use a file change monitor to look for changes to the scripts within permitted Splunk apps</LI> </UL> <P>If this cannot provide you with sufficient risk mitigation, it <STRONG>may</STRONG> be possible to completely disable scripted inputs and other script-calling features within Splunk. You would do so, however, at a great functionality cost. If this is the route you wish to take, I would recommend opening a support case and documenting your concerns and asking for help with configuring Splunk to remove as much script-calling functionality as possible. (Again, you will probably not be happy with this decision functionality-wise)</P> Mon, 31 Dec 2012 21:18:56 GMT dwaddle 2012-12-31T21:18:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-5-0-Vulnerability/m-p/74894#M181261 <P>I've encountered with this finding at Packetstorm website. May I know whether Splunk already verified and acknowledge on the finding as we plan to upgrade our Splunk to that latest version. </P> <P><A href="http://packetstormsecurity.com/files/118697/Splunk-5.0-Custom-App-Remote-Code-Execution.html">http://packetstormsecurity.com/files/118697/Splunk-5.0-Custom-App-Remote-Code-Execution.html</A></P> Mon, 31 Dec 2012 08:46:03 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-5-0-Vulnerability/m-p/74894#M181261 yap 2012-12-31T08:46:03Z https://community.splunk.com/t5/Splunk-Search/Splunk-5-0-Vulnerability/m-p/74895#M181262 <P>Well, this one has been floating around a while and I don't personally consider it a vulnerability.</P> <P>Basically, it depends on you installing Splunk, not changing the default password (which it asks you to do on the first login), running it as root - which is not "default" as the vuln page says. Its generally something silly people do to make reading /var/log easier. </P> <P>Run it as the "splunk" user that the install package creates, change the admin password, create your own account and delete the admin user - nothing to worry about.</P> <P>If you were to call this a vuln then it technically affects 4.2 and 4.3 as they all have the same script execution behaviour <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>EDIT: FYI, The Splunk Security portal can be found here; <A href="http://www.splunk.com/page/securityportal">http://www.splunk.com/page/securityportal</A></P> Mon, 31 Dec 2012 08:54:49 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-5-0-Vulnerability/m-p/74895#M181262 Drainy 2012-12-31T08:54:49Z https://community.splunk.com/t5/Splunk-Search/Splunk-5-0-Vulnerability/m-p/74896#M181263 <P>I agree w/ Drainy here. The ability to run scripts from Splunk is a feature - those scripts will run under whatever operating system authority you start Splunk as. The ability to upload apps (which can contain scripts) is also a feature, and is only available to users who have authenticated to Splunk and have the proper access within Splunk. </P> <P>If your Splunk environment is properly configured and hardened, then your exposure to this vulnerability is limited to "how well can I trust my users with Splunk admin rights?"</P> <P>In a potentially hostile environment, many good practices apply, including:</P> <UL> <LI>Change the 'admin' password, and/or delete the 'admin' account</LI> <LI>Minimize the set of users with admin-equivalent access</LI> <LI>Don't run Splunkd or Splunkweb as root</LI> <LI>Firewall the Splunkd / Splunkweb TCP ports as appropriate</LI> <LI>Establish and enforce a change management policy for app installs / updates</LI> <LI>Use Splunk itself to search/alert upon logged events around app changes</LI> <LI>Use a file change monitor to look for changes to the scripts within permitted Splunk apps</LI> </UL> <P>If this cannot provide you with sufficient risk mitigation, it <STRONG>may</STRONG> be possible to completely disable scripted inputs and other script-calling features within Splunk. You would do so, however, at a great functionality cost. If this is the route you wish to take, I would recommend opening a support case and documenting your concerns and asking for help with configuring Splunk to remove as much script-calling functionality as possible. (Again, you will probably not be happy with this decision functionality-wise)</P> Mon, 31 Dec 2012 21:18:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-5-0-Vulnerability/m-p/74896#M181263 dwaddle 2012-12-31T21:18:56Z