Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk 8.0.0: Sensitive Information disclosure?

randre
New Member
‎11-25-2020 01:23 AM

I have got a pentest results with the following :

It was possible to access those endpoints unauthenticated :

https://x.x.x.x/en-US/config
https://x.x.x.x/en-GB/config
https://x.x.x.x/en-US/info
https://x.x.x.x/en-US/paths
https://x.x.x.x/en-us/lists
https://x.x.x.x/en-US/embed 

Is it really a vulnerability ? They said that it's config data, not public data so it should not be visible.

How can we remove those endpoints from being reached unauthenticated ?

 

Labels (2)
Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2020 07:01 AM

The pentest is one opinion; yours is another.  You know more about Splunk so your opinion should count for more.  If you believe the information disclosed is not a problem then you should be able to convince your company to accept that over the pentest results.

The endpoints should be documented in the REST API manual, but that will detail the requests and responses.  It won't say "this is not a vulnerability".  It's up to you to make that decision.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

randre
New Member
‎12-01-2020 01:48 PM

Is it the REST API though ?

Like I said I was not able to find documentation about those endpoints.

Sounds silly but if you can find it that would great... (and would also be troublesome for me).

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2020 05:53 AM

I said it should be in the REST API manual, not that it is.  If you find an endpoint that is not documented then consider submitting feedback on the API manual so it can be included.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-25-2020 05:43 AM

Perhaps your firewall can be used to restrict access to those endpoints.  They'll still be open, but the risk will be lower.

The acceptFrom attribute in server.conf may help limit access to the endpoints.

You can try setting requireAuthentication = true in restmap.conf, but I don't know if this will do what you want.  Try it on a test system first.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

randre
New Member
‎11-30-2020 12:31 AM

Thanks

requireAuthentication defaults to true anyway so it should not fix my issue.

And I have to keep acceptFrom *

My problem is that I don't find documentation about those endpoints so I am not even sure it's a security issue.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2020 05:48 AM

Try the endpoints yourself to see what they return.  If you don't like what comes out then it's a security issue.  😀

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

randre
New Member
‎11-30-2020 06:03 AM

Yeah I checked those and I am fine with them.

The problem is that according to a pentest, it publicly exposes config data.

So I now need to show that it is actually fine (but not finding docs for that is not helping) or I need to block those URLs.

Looks like it is not possible via configuration and I would really like not having to keep a set of rules on the network devices.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...