Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities - Nessus
High Plugin ID: 92790This page contains detailed information about the Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 92790
Name: Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities
Filename: splunk_642.nasl
Vulnerability Published: 2013-03-22
This Plugin Published: 2016-08-08
Last Modification Time: 2019-11-14
Plugin Version: 1.7
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
splunkd_detect.nasl, splunk_web_detect.nasl
Required KB Items [?]: installed_sw/Splunk
Vulnerability Information
Severity: High
Vulnerability Published: 2013-03-22
Patch Published: 2016-07-28
CVE [?]: CVE-2013-0211, CVE-2015-2304, CVE-2016-1541, CVE-2016-2107
CPE [?]: cpe:/a:libarchive:libarchive, cpe:/a:openssl:openssl, cpe:/a:splunk:splunk
In the News: True
Synopsis
An application running on the remote web server is affected by multiple vulnerabilities.
Description
According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x, 6.0.x prior to 6.0.12, 6.1.x prior to 6.1.11, 6.2.x prior to 6.2.11, 6.3.x prior to 6.3.6, or 6.4.x prior to 6.4.2; or else it is Splunk Light version 6.4.x prior to 6.4.2. It is, therefore, affected by the following vulnerabilities :
- An integer signedness error exists in libarchive in the archive_write_zip_data() function within file archive_write_set_format_zip.c due to improper conversion between unsigned and signed integer types when running on 64-bit CPUs. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition. (CVE-2013-0211)
- A path traversal vulnerability exists in libarchive in the bsdcpio() function within file in cpio/cpio.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted path in an archive, to write to arbitrary files. (CVE-2015-2304)
- A heap-based buffer overflow condition exists in libarchive in the zip_read_mac_metadata() function within file archive_read_support_format_zip.c due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this, via specially crafted entry-size values in a ZIP archive, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-1541)
- Multiple flaws exist in the OpenSSL library in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107)
- An unspecified cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session.
- An unspecified cross-site redirection vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted web link, to redirect the browser to an arbitrary website of the attacker's own choosing.
Note that Splunk Enterprise 5.0.x will not be patched for OpenSSL issues, and it is recommended you upgrade to the latest version.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade Splunk Enterprise to version 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or later, or Splunk Light to version 6.4.2 or later.
Public Exploits
Target Network Port(s): 8000, 8089
Target Asset(s): Services/www
Exploit Available: True (Exploit-DB, GitHub)
Exploit Ease: No exploit is required
Here's the list of publicly known exploits and PoCs for verifying the Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities vulnerability:
- Exploit-DB: exploits/multiple/dos/39768.txt
[EDB-39768: OpenSSL - Padding Oracle in AES-NI CBC MAC Check] - GitHub: https://github.com/FiloSottile/CVE-2016-2107
[CVE-2016-2107: Simple test for the May 2016 OpenSSL padding oracle (CVE-2016-2107)] - GitHub: https://github.com/RedHatOfficial/rhsecapi
[CVE-2016-2107] - GitHub: https://github.com/RedHatProductSecurity/cve-pylib
[CVE-2016-2107] - GitHub: https://github.com/hackstoic/hacker-tools-projects
[CVE-2016-2107] - GitHub: https://github.com/hannob/tls-what-can-go-wrong
[CVE-2016-2107] - GitHub: https://github.com/krabelize/openbsd-httpd-tls-perfect-ssllabs-score
[CVE-2016-2107] - GitHub: https://github.com/scuechjr/Sec-Box
[CVE-2016-2107] - GitHub: https://github.com/tmiklas/docker-cve-2016-2107
[CVE-2016-2107: Docker container implementing tests for CVE-2016-2107 - LuckyNegative20] - GitHub: https://github.com/tomwillfixit/alpine-cvecheck
[CVE-2016-2107] - GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/39768.zip
[EDB-39768]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
| CVSS Base Score: | 6.8 (Medium) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 5.3 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 5.3 (Medium) |
| CVSS Base Score: | 8.8 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 2.8 |
| CVSS Temporal Score: | 7.9 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 7.9 (High) |
Go back to menu.
Plugin Source
This is the splunk_642.nasl nessus plugin source code. This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(92790);
script_version("1.7");
script_cvs_date("Date: 2019/11/14");
script_cve_id(
"CVE-2013-0211",
"CVE-2015-2304",
"CVE-2016-1541",
"CVE-2016-2107"
);
script_bugtraq_id(
58926,
89355,
89760,
92183,
92184
);
script_xref(name:"CERT", value:"862384");
script_xref(name:"EDB-ID", value:"39768");
script_name(english:"Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities");
script_summary(english:"Checks the version of Splunk Enterprise and Light.");
script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the version of Splunk
Enterprise hosted on the remote web server is 5.0.x, 6.0.x prior to
6.0.12, 6.1.x prior to 6.1.11, 6.2.x prior to 6.2.11, 6.3.x prior to
6.3.6, or 6.4.x prior to 6.4.2; or else it is Splunk Light version
6.4.x prior to 6.4.2. It is, therefore, affected by the following
vulnerabilities :
- An integer signedness error exists in libarchive in the
archive_write_zip_data() function within file
archive_write_set_format_zip.c due to improper
conversion between unsigned and signed integer types
when running on 64-bit CPUs. An unauthenticated, remote
attacker can exploit this to cause a buffer overflow,
resulting in a denial of service condition.
(CVE-2013-0211)
- A path traversal vulnerability exists in libarchive in
the bsdcpio() function within file in cpio/cpio.c due to
improper sanitization of user-supplied input. An
unauthenticated, remote attacker can exploit this, via
a specially crafted path in an archive, to write to
arbitrary files. (CVE-2015-2304)
- A heap-based buffer overflow condition exists in
libarchive in the zip_read_mac_metadata() function
within file archive_read_support_format_zip.c due to
improper sanitization of user-supplied input. An
unauthenticated, remote attacker can exploit this, via
specially crafted entry-size values in a ZIP archive, to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2016-1541)
- Multiple flaws exist in the OpenSSL library in the
aesni_cbc_hmac_sha1_cipher() function in file
crypto/evp/e_aes_cbc_hmac_sha1.c and the
aesni_cbc_hmac_sha256_cipher() function in file
crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered
when the connection uses an AES-CBC cipher and AES-NI
is supported by the server. A man-in-the-middle attacker
can exploit these to conduct a padding oracle attack,
resulting in the ability to decrypt the network traffic.
(CVE-2016-2107)
- An unspecified cross-site scripting (XSS) vulnerability
exists due to improper validation of user-supplied
input. An unauthenticated, remote attacker can exploit
this, via a specially crafted request, to execute
arbitrary script code in the user's browser session.
- An unspecified cross-site redirection vulnerability
exists due to improper validation of user-supplied
input. An unauthenticated, remote attacker can exploit
this, by convincing a user to visit a specially crafted
web link, to redirect the browser to an arbitrary
website of the attacker's own choosing.
Note that Splunk Enterprise 5.0.x will not be patched for OpenSSL
issues, and it is recommended you upgrade to the latest version.
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://www.splunk.com/view/SP-CAAAPQM");
script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20160503.txt");
script_set_attribute(attribute:"solution", value:
"Upgrade Splunk Enterprise to version 6.0.12 / 6.1.11 / 6.2.11 /
6.3.6 / 6.4.2 or later, or Splunk Light to version 6.4.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/22");
script_set_attribute(attribute:"patch_publication_date", value:"2016/07/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:splunk:splunk");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
script_set_attribute(attribute:"cpe", value:"cpe:/a:libarchive:libarchive");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("splunkd_detect.nasl", "splunk_web_detect.nasl");
script_require_keys("installed_sw/Splunk");
script_require_ports("Services/www", 8089, 8000);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "Splunk";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:8000, embedded:TRUE);
install = get_single_install(
app_name : app,
port : port,
exit_if_unknown_ver : TRUE
);
dir = install['path'];
ver = install['version'];
license = install['License'];
fix = FALSE;
install_url = build_url(qs:dir, port:port);
note = NULL;
if (license == "Enterprise")
{
# 5.0.x < 5.0.16
# Splunk Enterprise 5.0.x will not be patched for OpenSSL issues.
# Splunk recommends updating to the latest version of Splunk Enterprise.
if (ver =~ "^5\.0($|[^0-9])")
fix = '6.4.2';
# 6.0.x < 6.0.12
else if (ver =~ "^6\.0($|[^0-9])")
fix = '6.0.12';
# 6.1.x < 6.1.11
else if (ver =~ "^6\.1($|[^0-9])")
fix = '6.1.11';
# 6.2.x < 6.2.11
else if (ver =~ "^6\.2($|[^0-9])")
fix = '6.2.11';
# 6.3.x < 6.3.6
else if (ver =~ "^6\.3($|[^0-9])")
fix = '6.3.6';
# 6.4.x < 6.4.2
else if (ver =~ "^6\.4($|[^0-9])")
fix = '6.4.2';
}
else if (license == "Light")
{
# any < 6.4.2
fix = '6.4.2';
}
if (fix && ver_compare(ver:ver,fix:fix,strict:FALSE) < 0)
{
order = make_list("URL", "Installed version", "Fixed version");
report = make_array(
order[0], install_url,
order[1], ver + " " + license,
order[2], fix + " " + license
);
report = report_items_str(report_items:report, ordered_fields:order);
security_report_v4(port:port, extra:report, severity:SECURITY_WARNING, xss:TRUE);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, ver + " " + license);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/splunk_642.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\splunk_642.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/splunk_642.nasl
Go back to menu.
How to Run
Here is how to run the Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities plugin ID 92790.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl splunk_642.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a splunk_642.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - splunk_642.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state splunk_642.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: CERT | Computer Emergency Response Team: See also:
- https://www.tenable.com/plugins/nessus/92790
- https://www.openssl.org/news/secadv/20160503.txt
- https://www.splunk.com/view/SP-CAAAPQM
- https://vulners.com/nessus/SPLUNK_642.NASL
- 93381 - Blue Coat ProxySG 6.5.x < 6.5.9.8 / 6.6.x < 6.6.4.1 Multiple OpenSSL Vulnerabilities
- 92045 - Cisco TelePresence VCS / Expressway 8.x < 8.8 Multiple Vulnerabilities (Bar Mitzvah)
- 94654 - HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)
- 97893 - Tenable Log Correlation Engine (LCE) < 4.8.1 Multiple Vulnerabilities
- 90890 - OpenSSL 1.0.1 < 1.0.1t Multiple Vulnerabilities
- 90891 - OpenSSL 1.0.2 < 1.0.2h Multiple Vulnerabilities
- 91572 - OpenSSL AES-NI Padding Oracle MitM Information Disclosure
- 93121 - Oracle Access Manager Webgate Information Disclosure (July 2016 CPU)
- 94164 - Oracle E-Business Multiple Vulnerabilities (October 2016 CPU)
- 92585 - Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (July 2016 CPU)
- 106299 - Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)
- 92543 - Oracle Secure Global Desktop Multiple Vulnerabilities (July 2016 CPU)
- 106500 - pfSense < 2.3.1 Multiple Vulnerabilities (SA-16_03 / SA-16-04)
- 106349 - Oracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)
- 92458 - Oracle VM VirtualBox < 5.0.22 Multiple Vulnerabilities (July 2016 CPU)
- 66835 - Splunk 5.0.x < 5.0.3 Multiple Vulnerabilities
- 79722 - Splunk Enterprise 6.0.x < 6.0.6 Multiple Vulnerabilities
- 79723 - Splunk Enterprise 6.0.x < 6.0.7 Multiple Vulnerabilities (POODLE)
- 79724 - Splunk Enterprise 5.0.x < 5.0.10 / 6.1.x < 6.1.4 Multiple Vulnerabilities
- 83992 - Splunk Enterprise 5.0.x < 5.0.13 / 6.0.x < 6.0.9 / 6.1.x < 6.1.8 OpenSSL Vulnerabilities (FREAK)
- 81812 - Splunk Enterprise 6.2.x < 6.2.2 Multiple Vulnerabilities (FREAK)
- 85581 - Splunk Enterprise < 5.0.14 / 6.0.10 / 6.1.9 / 6.2.5 or Splunk Light < 6.2.5 Multiple Vulnerabilities
- 90705 - Splunk Enterprise < 5.0.15 / 6.0.11 / 6.1.10 / 6.2.9 / 6.3.3.4 or Splunk Light < 6.2.9 / 6.3.3.4 Multiple Vulnerabilities (DROWN)
- 94932 - Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.12 / 6.3.8 / 6.4.4 or Splunk Light < 6.5.0 Multiple Vulnerabilities
- 97100 - Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.13 / 6.3.9 / 6.4.5 / 6.5.2 or Splunk Light < 6.5.2 Multiple Vulnerabilities
- 99235 - Splunk Enterprise < 5.0.18 / 6.0.14 / 6.1.13 / 6.2.13.1 / 6.3.10 / 6.4.6 / 6.5.3 / Splunk Light < 6.5.3 Multiple Vulnerabilities
- 104850 - Splunk Enterprise 6.3.x < 6.3.12 / 6.4.x < 6.4.9 / 6.5.x < 6.5.6 / 6.6 < 6.6.3.2 or 6.6.4 / 7.0.x < 7.0.0.1 Multiple SAML Implementation Vulnerabilities
- 158383 - Splunk Enterprise 8.1.x < 8.1.7.2 / 8.2.x < 8.2.3.3 Log4j
- 121164 - Splunk Information Disclosure Vulnerability (SP-CAAAP5E)
- 121163 - Splunk Information Exposure (SP-CAAAP5E
- 79721 - Splunk Enterprise 5.0.x < 5.0.11 Multiple Vulnerabilities (POODLE)
- 73575 - Splunk 6.x < 6.0.3 Multiple OpenSSL Vulnerabilities (Heartbleed)
- 76528 - Splunk Enterprise 4.3.x / 5.0.x < 5.0.9 / 6.0.x < 6.0.5 / 6.1.x < 6.1.2 Multiple OpenSSL Vulnerabilities
- 160471 - Splunk Enterprise 8.1.x < 8.1.7.2 / 8.2.x < 8.2.3.3 Log4j (macOS)
- 91352 - Citrix XenServer Multiple Vulnerabilities (CTX212736)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file splunk_642.nasl version 1.7. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
