Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.1870
SVD-2024-0301: Splunk Authentication Token Exposure in Debug Log in Splunk
Enterprise
28 March 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Splunk Enterprise
Publisher: Splunk
Operating System: UNIX
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2024-29945
Original Bulletin:
https://advisory.splunk.com//advisories/SVD-2024-0301
Comment: CVSS (Max): 7.2 CVE-2024-29945 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Splunk Inc.
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Splunk Authentication Token Exposure in Debug Log in Splunk Enterprise
Advisory ID: SVD-2024-0301
CVE ID: CVE-2024-29945
Published: 2024-03-27
Last Update: 2024-03-27
CVSSv3.1 Score: 7.2, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Bug ID: SPL-248977
Description
In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the software
potentially exposes authentication tokens during the token validation process.
This exposure could happen when either Splunk Enterprise runs in debug mode or
the JsonWebToken component has been configured to log its activity at the DEBUG
logging level. Normally, Splunk Enterprise runs with debug mode and token
authentication turned off, as well as the JsonWebToken process configured at
the INFO logging level.
The vulnerability would require either local access to the log files or
administrative access to internal indexes, which by default only the admin role
receives. Review roles and capabilities on your instance and restrict internal
index access to administrator-level roles. See Define roles on the Splunk
platform with capabilities in the Splunk documentation for more information.
Solution
There are multiple solutions depending on how you have configured the Splunk
Enterprise instance.
First, determine whether or not debug logging is on, either globally or for the
JsonWebToken component. You must log into the Splunk Enterprise instance as an
admin user or equivalent to perform these actions.
1. To determine the current global logging mode on the instance:
1. In a web browser, visit the Server Logging Settings page in Splunk Web
at /en-US/manager/system/server/logger .
2. Review the Logging Level column on the page that loads. If every row in
this column shows DEBUG as the logging level, then the Splunk
Enterprise instance is in debug mode. Otherwise, it is not in debug
mode.
2. To determine the current logging level for the JsonWebToken processor:
1. In a web browser, search for the JsonWebToken processor configuration
by visiting /en-US/manager/system/server/loggersearch=JsonWebToken .
2. Review the Logging level column for the processor. If this row has a
value of DEBUG, then the processor currently logs its activity at the
DEBUG level.
See Enable debug logging for more information.
If either of these steps determines that debug logging is on, either globally
or for the JsonWebToken component, then remedy the problem by performing the
following tasks:
1. Upgrade Splunk Enterprise to versions 9.2.1, 9.1.4, 9.0.9, or higher.
2. Delete the following log file on the Splunk Enterprise instance:
$SPLUNK_HOME/var/log/splunk/splunkd.log
3. Log into Splunk Web on the Splunk Enterprise instance and delete all log
file events for the JsonWebToken component from the _internal index by
running the following search command:
index=_internal component=JsonWebToken | delete
Note: The delete SPL command requires the can_delete role, which
administrators do not receive by default. See delete for more info on the
delete search command.
4. While you are logged in, rotate any potentially exposed authentication
tokens. See Manage or delete authentication tokens for more information.
Product Status
Product Version Component Affected Version Fix Version
Splunk Enterprise 9.2 9.2.0 to 9.2.0.1 9.2.1
Splunk Enterprise 9.1 9.1.0 to 9.1.3 9.1.4
Splunk Enterprise 9.0 9.0.0 to 9.0.8 9.0.9
Mitigations and Workarounds
If it isn't currently possible to upgrade to a fixed version of Splunk
Enterprise, you can remedy the vulnerability by doing the following:
1. If the Splunk Enterprise instance runs in debug mode, turn it off. Restart
the instance without using the --debug argument.
2. If you don't use tokens to authenticate users on the Splunk Enterprise
instance and token authentication is on, turn it off. See Enable or disable
token authentication for more information.
3. If the JsonWebToken component is at the DEBUG logging level, raise it to
the INFO level.
1. Log into Splunk Web on the Splunk Enterprise instance and visit the
Server Logging page as described previously.
2. Select the JsonWebToken component, change its logging level to INFO,
then select Save.
4. View the $SPLUNK_HOME/etc/log.cfg logging configuration files and confirm
that the JsonWebToken component is at the INFO logging level. Look for a
line in the file that says category.JsonWebToken= . If it equals DEBUG,
raise the logging level to INFO by doing the following:
1. Edit the $SPLUNK_HOME/etc/log.cfg file.
2. Add the line category.JsonWebToken=INFO to this file.
3. Save the file.
4. Repeat Steps 4a-4c with the log-local.cfg file, if it exists.
5. Restart Splunk Enterprise for the changes to log.cfg or log-local.cfg
to take effect. Note: Confirm that you do not use the --debug flag to
restart Splunk Enterprise.
5. Delete the following log file: $SPLUNK_HOME/var/log/splunk/splunkd.log
6. Delete all the Splunk Enterprise log file events from the _internal index
by running the following search command:
index=_internal component=JsonWebToken | delete
Note: The delete command requires the can_delete role, which administrators
do not receive by default. See delete for more info on the delete search
command.
7. While you are logged in, rotate any potentially exposed authentication
tokens. See Manage or delete authentication tokens for more information.
Detections
o Splunk Authentication Token Exposure in Debug Log
Severity
Splunk rates this vulnerability as informational, or falling between a 6.7,
Medium, and a 7.2, High. The following scenarios affect the score:
o If token authentication is turned off, then the vulnerability does not
affect this Splunk Enterprise instance and the advisory is Informational.
o If you limit access to the _internal index to holders of the admin role
only, then the CVSS score lowers to 6.7, Medium, with a CVSSv3.1 vector of
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
o If admin users have provided lower-privilege users access to the _internal
index, then the CVSS score would be 7.2, High, with a CVSSv3.1 vector of
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Alex Napier, Splunk
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================