Splunk has fixed a serious–and seriously odd–bug that could allow an attacker to inject specific codes into Splunk IT Service Intelligence log files and potentially gain remote code execution.
Interestingly, the vulnerability (CVE-2023-0810) does not allow the attacker to take actions on the Splunk ITSI application itself, but rather on any vulnerable terminal application running on the victim’s machine. The bug affects versions 4.13.0 through 4.13.2 and 4.15.0 through 4.15.2 and it enables an attacker to inject ANSI escape codes into log files from the affected Splunk products.
“In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed,” the advisory says.
“The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.”
In order to exploit the bug, an attacker does not need any special privileges or permissions and does not need to be authenticated. However, it does require the user of the target machine to open or read the malicious file or log in order for the exploit to work.
In lieu of upgrading to a patched version of Splunk ITSI, customers can disable the ability to process ANSI escape codes in terminal applications.