CVE-2022-43561 - Persistent Cross-Site Scripting (XSS) Vulnerability in Splunk Enterprise Versions Below 8.1.12, 8.2.9, and 9..2

In this post, we will discuss CVE-2022-43561 (Common Vulnerabilities and Exposures), which is a security vulnerability found in Splunk Enterprise versions below 8.1.12, 8.2.9, and 9..2. This vulnerability can lead to persistent cross-site scripting (XSS) attacks and is particularly exploitable when an attacker has the "power" Splunk role in an instance with Splunk Web enabled. We'll briefly explain what persistent XSS is and how the vulnerability can be exploited. After that, we'll share a code snippet demonstrating a proof of concept for the exploit, and finally, we'll provide links to the original references and resources for more information.

Persistent Cross-Site Scripting (XSS) Explained

A persistent XSS vulnerability allows an attacker to inject malicious scripts into a website that becomes part of the website's content. When a victim visits the affected webpage, the malicious script is executed in their browser, potentially causing unauthorized access to sensitive information, session hijacking, or redirection to malicious websites. In the case of CVE-2022-43561, Splunk Enterprise environments are vulnerable to this kind of attack.

Exploit Details

CVE-2022-43561 specifically targets the Splunk Enterprise software, a powerful platform for searching, analyzing, and visualizing the data generated by machines like web logs, application logs, and more. The vulnerability exists mainly due to insufficient input validation on the Splunk server-side. When a Splunk user with the "power" role creates a new saved search, they can insert arbitrary JavaScript code into the saved search's description field. Once saved, the malicious script will be executed whenever the saved search description is viewed by other users on the Splunk Web interface.

Here's a simple example of a code snippet for demonstrating the proof of concept for this exploit

<script>alert("XSS");</script>

Save the search with an arbitrary name and optional shared permissions.

6. Now, whenever a user visits the saved search page, the JavaScript code in the description will be executed, causing an XSS attack.

To get more information about this vulnerability, you can read the following resources and articles

1. CVE-2022-43561 - The official CVE-2022-43561 page on the MITRE website.
2. Splunk Security Advisory - Splunk's official page for security advisories, where you can find details on CVE-2022-43561 and other vulnerabilities.
3. Splunk Release Notes - Official release notes from Splunk detailing the changes and fixes made in their software updates, including the fixed versions for the CVE-2022-43561 vulnerability.

It is important to note that this vulnerability has been patched in newer versions of Splunk Enterprise, namely 8.1.12, 8.2.9, and 9..2. Organizations using Splunk Enterprise should update their software immediately to these latest versions to protect against this XSS vulnerability. This will ensure that their instance remains secure and their users are protected from potential security breaches.

Timeline

Published on: 11/03/2022 23:15:00 UTC
Last modified on: 11/07/2022 16:58:00 UTC