Security
Highlighted

Unix shell shock vulnerability: Is Splunk web or mgt port vulnerable to attacks when running on Unix system with shell shock vulnerability?

Motivator

Regarding the shell shock vulnerability, and assuming the host where Splunk or Splunkforwarder is running has the shell shock vulnerability, is it possible to invoke the vulnerability via the splunkweb(8000) or mgt ports(8089)?

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

http://blogs.splunk.com/2014/09/24/finding-shellshock-cve-2014-6271-with-splunk-forwarders/

Highlighted

Re: Unix shell shock vulnerability: Is Splunk web or mgt port vulnerable to attacks when running on Unix system with shell shock vulnerability?

Splunk Employee
Splunk Employee

No it is not. Splunk will only call external processes in response to user actions in:

  • A custom search command. These run under the Splunk python interpreter, not bash, and do not allow arbitrary specification of environment variables.
  • A scripted lookup. This operates the same as a custom search command, with the addition that it may run Perl as well as python
  • An alert action. This may be a shell script, but it must be specified by path and must reside in a specific location (not an arbitrary command or command line), and the user can not specify environment variable to pass to it.
  • A scripted or modular input. These may be shell scripts, they must be specified by path and must reside in a specific location (not an arbitrary command or command line), and the users can not specify environment variables to pass to them.

In all cases, the external program must be placed in specific locations on the system by an administrator. By default, there are no scripts or programs that invoke bash in current or recent versions of Splunk. The administrator can of course create vulnerabilities by placing and allowing access to dangerous programs. But the shellshock bash vulnerability can not be invoked.

View solution in original post

Highlighted

Re: Unix shell shock vulnerability: Is Splunk web or mgt port vulnerable to attacks when running on Unix system with shell shock vulnerability?

Motivator

Thanks for the quick response!

0 Karma
Highlighted

Re: Unix shell shock vulnerability: Is Splunk web or mgt port vulnerable to attacks when running on Unix system with shell shock vulnerability?

Splunk Employee
Splunk Employee

Please check back for more updates. While it is the case that a default Splunk installation will not be vulnerable to shellshock, we hope to provide more specific information warning you where you could be vulnerable if you install or configure shell scripts. If you are in this situation or are not sure, you may want to simply patch bash.

Highlighted

Re: Unix shell shock vulnerability: Is Splunk web or mgt port vulnerable to attacks when running on Unix system with shell shock vulnerability?

Splunk Employee
Splunk Employee

Updated guidance from Splunk: http://www.splunk.com/view/SP-CAAANJN