As mentioned in https://advisory.splunk.com/advisories/SVD-2023-0606 under "Mitigations and Workarounds"
users can protect themselves from log injections via ANSI escape characters in general, by disabling the ability to process ANSI escape codes
Above statement is very generic statement and we cannot find any articles in internet about how to do the same.
Take for e.g SSH putty is generally used by most users. Above statement says to disable process of ANSI escape codes from this terminal app ?
If that is the case. Where can we find the disabling ANSI escape codes documentation
This is just one generic example
As this is mitigation and workaround we also need to be carefully weigh Pros/Cons of it
Please correct me If my understanding is wrong ?
Any help/pointers in making us understand the above point will be of great help
Here under Terminal emulation option also I dont see any specific option through which ANSI codes can be controlled
Am I seeing the correct option?
Option and approach needs to be documented from my side properly in a step by step manner
Unless I am clear with the approach, I cannot come up with the steps for disabling the ability on Terminal
Thanks for the prompt replies
My apologies. I recalled a selector where one could choose the terminal emulation, but I must have been thinking of a different program.
The setting in question is "Terminal-type string" in Connection->Data. Enter a value from your system's termcap or terminfo file for a terminal type that does not support ANSI sequences. Your Linux system admin should be able to assist with the choice.
I have one more question after discussing internally
Is there a way/mechanism available to identify if the splunk log files are effected and if possible isolate
Please let me know if there is any tool/script which is already available ?
Thanks in advance
I am not aware of a method to determine if the vulnerability has already been exploited. In theory, you should search for fragments of ANSI escape sequences using SPL (the vulnerability applies only to the CLI), but don't know what one would search for since Splunk and other site have few details available.
Thanks for response.
Based on articles/links and interactions with other members.
Note: Below workaround solution varies based on deployment (attack surface) for other setups
Simple/Minimal solution I see as of now:
---------------------------------------------------------------------------------------
Summary:
Issue: Unauthenticated Log Injection in Splunk Enterprise
Attack Surface : Not straight forward (There is minimal scope of any injection from Splunk Enterprise setup as it has been configured for few restricted users)
Workaround: Ask end user to use “less” command instead of “cat”/”tail” commands to access splunk logs ( To be on safer side) in terminal.
----------------------------------------------------------------------------------------
Please let me know anything else needs to be added for workaround.
Please feel free to correct if I am missing anything during understanding
I have question specific to Putty
What all options need to disabled as part of this suggestion
Sample screeshot of putty is attached below
Hi
you should disable at least:
As said on other replies your users should use less instead of cat/tail/more etc. Another option is use "cat -vet" instead of pure cat.
As @richgalloway said you could/should use some other terminal value e.g. dummy or something else which cannot use ANSI codes. Of course you lost quite a many terminal's features with this way....
r. Ismo
Probably none of those. Go to the Terminal setting and choose an emulation that does not support ANSI character sequences. Be aware that different emulators have varying (or sometime no) support for applications that write to random screen locations (like full-screen editors and programs like top).
This Answer may answer your question.
https://community.splunk.com/t5/Security/Disable-ANSI-escape-codes/m-p/652082