CVE-2022-43564 - Exploiting Denial of Service in Splunk Enterprise via Malicious Search Macros

Splunk is widely known for its log analysis and SIEM capabilities across enterprises. But like any powerful tool, it can have vulnerabilities if not kept up to date. One of the important vulnerabilities found in Splunk Enterprise is CVE-2022-43564. In this article, we’ll break down what this vulnerability is, how it works, and show an example of how a malicious user could use it to carry out a denial-of-service (DoS) attack.

What is CVE-2022-43564?

CVE-2022-43564 affects Splunk Enterprise before versions 8.1.12, 8.2.9, and 9..2. The flaw allows a user (with permissions to create search macros and schedule searches) to crash or hang Splunk’s search process, making the system unavailable to others—a classic denial-of-service.

Original CVE Reference:  
- NIST CVE-2022-43564 Details  
- Splunk Security Advisory

Simple Explanation

Splunk lets users define search macros—basically shortcuts that expand into search queries. If a user can define a macro and schedule a search that uses it, they can create harmful combinations. For example, a macro that calls itself, leading to a loop or a heavy search, can bog down the Splunk search process or cause it to crash.

How Does the Exploit Work?

Anyone who can create search macros _and_ schedule reports in Splunk can exploit this.

Let’s say an attacker creates a search macro that endlessly calls itself. When Splunk tries to expand the macro during a search, it gets stuck—using up memory or CPU until the process fails or the whole service stops responding.

Example: Creating a Malicious Macro

First, let’s see the kind of macro you might define in Splunk’s macro editor (usually accessible to users with high search or creation privileges).

Macro definition (in macros.conf)

[dos_macro()]
definition = dos_macro()
iseval = 

This macro calls itself endlessly. When Splunk tries to execute it as part of a search, it falls into infinite recursion.

Exploit Steps

Here’s how someone might carry out a denial of service using this CVE.

Create the Malicious Macro

You can define a macro via the Splunk Web interface or by editing the macros.conf file. For demonstration, here is the macro in the config file:

The attacker schedules a search using the macro

Impact

Each time the scheduled report runs, the macro expands recursively, using up resources. Over time, this can cause the search process to hang or crash, affecting all users:

Then, go to Search and run

| dos_macro()

Watch the search process slow down or hang. Scheduling this search makes it happen automatically.

How to Fix

Upgrade Splunk:  
- If you’re running a vulnerable version, update to at least 8.1.12, 8.2.9, or 9..2 as recommended by Splunk.
 - Splunk Downloads

Best Practices:

Summary

CVE-2022-43564 is another example of how giving broad permissions or not updating your tools can let insiders or attackers cause trouble—like a full denial-of-service in a production Splunk environment. This bug relies on Splunk’s powerful macro system being misused to cause infinite loops or heavy resource consumption, dragging down the whole search process.

Always update your Splunk deployment and audit user permissions regularly. Don't let simple loopholes slow down or take out your important monitoring systems.

References

- CVE-2022-43564 at NIST
- Splunk Security Advisory SVD-2022-1107
- Splunk Documentation: Search macros

Timeline

Published on: 11/04/2022 23:15:00 UTC
Last modified on: 11/08/2022 14:40:00 UTC