Security

Unix shell shock vulnerability: Is Splunk web or mgt port vulnerable to attacks when running on Unix system with shell shock vulnerability?

bandit
Motivator

Regarding the shell shock vulnerability, and assuming the host where Splunk or Splunkforwarder is running has the shell shock vulnerability, is it possible to invoke the vulnerability via the splunkweb(8000) or mgt ports(8089)?

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

http://blogs.splunk.com/2014/09/24/finding-shellshock-cve-2014-6271-with-splunk-forwarders/

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

No it is not. Splunk will only call external processes in response to user actions in:

  • A custom search command. These run under the Splunk python interpreter, not bash, and do not allow arbitrary specification of environment variables.
  • A scripted lookup. This operates the same as a custom search command, with the addition that it may run Perl as well as python
  • An alert action. This may be a shell script, but it must be specified by path and must reside in a specific location (not an arbitrary command or command line), and the user can not specify environment variable to pass to it.
  • A scripted or modular input. These may be shell scripts, they must be specified by path and must reside in a specific location (not an arbitrary command or command line), and the users can not specify environment variables to pass to them.

In all cases, the external program must be placed in specific locations on the system by an administrator. By default, there are no scripts or programs that invoke bash in current or recent versions of Splunk. The administrator can of course create vulnerabilities by placing and allowing access to dangerous programs. But the shellshock bash vulnerability can not be invoked.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

No it is not. Splunk will only call external processes in response to user actions in:

  • A custom search command. These run under the Splunk python interpreter, not bash, and do not allow arbitrary specification of environment variables.
  • A scripted lookup. This operates the same as a custom search command, with the addition that it may run Perl as well as python
  • An alert action. This may be a shell script, but it must be specified by path and must reside in a specific location (not an arbitrary command or command line), and the user can not specify environment variable to pass to it.
  • A scripted or modular input. These may be shell scripts, they must be specified by path and must reside in a specific location (not an arbitrary command or command line), and the users can not specify environment variables to pass to them.

In all cases, the external program must be placed in specific locations on the system by an administrator. By default, there are no scripts or programs that invoke bash in current or recent versions of Splunk. The administrator can of course create vulnerabilities by placing and allowing access to dangerous programs. But the shellshock bash vulnerability can not be invoked.

ChrisG
Splunk Employee
Splunk Employee

Updated guidance from Splunk: http://www.splunk.com/view/SP-CAAANJN

gkanapathy
Splunk Employee
Splunk Employee

Please check back for more updates. While it is the case that a default Splunk installation will not be vulnerable to shellshock, we hope to provide more specific information warning you where you could be vulnerable if you install or configure shell scripts. If you are in this situation or are not sure, you may want to simply patch bash.

bandit
Motivator

Thanks for the quick response!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...