Solved: Can you clarify Vulnerability report SPL-144192?

chriswilkes33 · ‎11-30-2017

Vulnerability report SPL-144192 seems to have contradicting data in it. It begins by talking about being vulnerable to this specific thing when running init or control scripts as a root user, but later in the report it mentions some specific conditions you must meet to be vulnerable, the first being run init scripts as non-root user.

Soooo...which is it?

How do I know if I'm vulnerable with such contradictory information?

I don't have enough karma points to post links apparently, even to splunks own web servers, but Ive attempted below to post a link in case it lets me...

splunk.com/view/SP-CAAAP3M#MitigationandUpgrades

harsmarvania57 · ‎12-01-2017

Hi @chriswilkes33,

Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk user, command or configuration might change for different version of OS. 😛

After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>

So /etc/init.d/splunk script includes command like for start, stop, restart and status

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user at that start, stop, restart and status command looke like below

  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

Now whether you are affected or not, you need to check 2 things

If $SPLUNK_HOME/etc/splunk-launch.conf contains SPLUNK_OS_USER=<user> line

And you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user, which contains command as below

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

If you satisfy both the condition then you are affected.
Mitigation is you need to change those command to look like this

su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

I hope this clears.

Thanks,
Harshil

View solution in original post

harsmarvania57 · ‎12-01-2017

Hi @chriswilkes33,

Before you go through below content, please consider below configuration for Redhat only and I am considering that splunk is running as splunk user, command or configuration might change for different version of OS. 😛

After Splunk version 6.1, splunk changed init script which you created by root user using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user>

So /etc/init.d/splunk script includes command like for start, stop, restart and status

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

However before Splunk version 6.1 when you created /etc/init.d/splunk using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user at that start, stop, restart and status command looke like below

  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
  /bin/su splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

Now whether you are affected or not, you need to check 2 things

If $SPLUNK_HOME/etc/splunk-launch.conf contains SPLUNK_OS_USER=<user> line

And you created init script after splunk version 6.1, using command $SPLUNK_HOME/bin/splunk enable boot-start –user <user> by root user, which contains command as below

      "/opt/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
      "/opt/splunkforwarder/bin/splunk" stop
      "/opt/splunkforwarder/bin/splunk" restart
      "/opt/splunkforwarder/bin/splunk" status

If you satisfy both the condition then you are affected.
Mitigation is you need to change those command to look like this

su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" stop "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" restart "
su - splunk -c "\"/opt/splunkforwarder/bin/splunk\" status "

I hope this clears.

Thanks,
Harshil

chriswilkes33 · ‎12-04-2017

Thanks for the explanation. Makes sense.

DATEVeG · ‎12-04-2017

Thanks! That sounds reasonable.

Will there be a proper solution by splunk for this problem?

harsmarvania57 · ‎12-04-2017

As of now splunk suggested to update /etc/init.d/splunk as per answer given by me.

Can you clarify Vulnerability report SPL-144192?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor