Login Sign Up

CVE-2023-32712

8.6 HIGH

📋 TL;DR

This vulnerability allows attackers to inject ANSI escape codes into Splunk log files, which could lead to code execution in vulnerable terminal applications when users read these logs. It affects Splunk Enterprise versions below specific patches and Universal Forwarders with active management services. The attack requires user interaction with malicious log files in vulnerable terminals.

💻 Affected Systems

Products:
  • Splunk Enterprise
  • Splunk Universal Forwarder
Versions: Splunk Enterprise: below 9.1.0.2, 9.0.5.1, 8.2.11.2; Universal Forwarder: 9.1.0.1, 9.0.5, 8.2.11 and lower with management services active
Operating Systems: All platforms running affected Splunk versions
Default Config Vulnerable: ✅ No
Notes: Universal Forwarder versions 9.0.x and 9.1.x with management services bound to local machine are not vulnerable. Version 9.1 uses Unix Domain Sockets which reduces attack surface.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on a user's terminal application when reading malicious log files, potentially leading to full system compromise depending on terminal permissions.

🟠

Likely Case

Limited impact due to required user interaction and specific terminal vulnerabilities; most likely denial of service or terminal manipulation rather than code execution.

🟢

If Mitigated

No impact if patched versions are used or if vulnerable terminals are not employed to read Splunk logs.

🌐 Internet-Facing: LOW - Attack requires user to read malicious log files locally; not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal users reading Splunk logs with vulnerable terminals could be affected, but requires specific conditions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH - Requires user to read malicious log file in vulnerable terminal with specific interaction

Exploitation depends on terminal application vulnerabilities, not directly on Splunk. Attack is indirect and requires multiple conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise: 9.1.0.2, 9.0.5.1, 8.2.11.2; Universal Forwarder: upgrade to latest versions

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2023-0606

Restart Required: Yes

Instructions:

1. Download appropriate patch from Splunk downloads page. 2. Backup current installation. 3. Stop Splunk services. 4. Apply patch according to Splunk documentation. 5. Restart Splunk services. 6. Verify version with 'splunk version' command.

🔧 Temporary Workarounds

Disable Universal Forwarder Management Services

all

Prevents Universal Forwarder from being vulnerable by disabling network-accessible management services

Edit $SPLUNK_HOME/etc/system/local/server.conf and set [httpServer] disableDefaultPort = true
Restart Universal Forwarder

Use Secure Terminal Applications

all

Ensure terminal applications used to read Splunk logs are not vulnerable to ANSI escape code injection

🧯 If You Can't Patch

  • Restrict access to Splunk log files to trusted users only
  • Implement monitoring for unusual log file modifications or ANSI code injection attempts

🔍 How to Verify

Check if Vulnerable:

Check Splunk version with 'splunk version' command and compare against affected versions. For Universal Forwarder, verify if management services are active on network interfaces.

Check Version:

splunk version

Verify Fix Applied:

Confirm version is at or above patched versions: 9.1.0.2, 9.0.5.1, or 8.2.11.2 for Enterprise. Check that Universal Forwarder management services are properly configured.

📡 Detection & Monitoring

Log Indicators:

  • Unusual ANSI escape sequences in Splunk log files
  • Unexpected terminal behavior when viewing logs

Network Indicators:

  • Unauthorized access attempts to Universal Forwarder management ports (default 8089)

SIEM Query:

index=_internal source=*splunkd.log "ANSI" OR "escape sequence" OR suspicious terminal commands

📊 Metadata

CVE ID: CVE-2023-32712
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-117
Published: June 1, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32712, you might also want to check these:

CVE-2023-46321 9.8

This vulnerability in iTerm2 allows command injection through malicious x-man-page URLs. Attackers c...

Same vulnerability type (CWE-117)
CVE-2024-0095 9.0

CVE-2024-0095 is a log injection vulnerability in NVIDIA Triton Inference Server that allows attacke...

Same vulnerability type (CWE-117)
CVE-2024-25047 8.6

IBM Cognos Analytics versions 11.2.0-11.2.4 and 12.0.0-12.0.2 have improper input validation in appl...

Same vulnerability type (CWE-117)