CVE-2023-46230
📋 TL;DR
Splunk Add-on Builder versions below 4.1.4 write sensitive information like credentials and API keys to internal log files. This vulnerability allows attackers with access to these logs to steal authentication data and potentially compromise connected systems. Organizations using vulnerable versions of Splunk Add-on Builder are affected.
💻 Affected Systems
- Splunk Add-on Builder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive credentials and API keys, leading to full compromise of Splunk infrastructure and connected systems, data exfiltration, and lateral movement.
Likely Case
Internal attackers or compromised accounts access logs containing sensitive information, enabling privilege escalation and unauthorized access to connected systems.
If Mitigated
With proper log access controls and monitoring, impact is limited to potential information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires access to internal log files, typically through existing system access or compromised accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.4
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0111
Restart Required: Yes
Instructions:
1. Download Splunk Add-on Builder 4.1.4 from Splunkbase. 2. Backup current configuration. 3. Install the update through Splunk Web interface. 4. Restart Splunk services.
🔧 Temporary Workarounds
Restrict Log File Access
linuxApply strict file permissions to limit access to Splunk internal log files.
chmod 600 /opt/splunk/var/log/splunk/addonbuilder*.log
chown splunk:splunk /opt/splunk/var/log/splunk/addonbuilder*.log
Disable Sensitive Logging
allConfigure Add-on Builder to avoid logging sensitive information.
🧯 If You Can't Patch
- Implement strict access controls on Splunk log directories and files
- Monitor and alert on unauthorized access to Splunk log files
🔍 How to Verify
Check if Vulnerable:
Check Splunk Add-on Builder version in Splunk Web: Settings → Apps → Manage Apps → Splunk Add-on BuilderCheck Version:
$SPLUNK_HOME/bin/splunk display app -auth admin:changeme | grep "Splunk Add-on Builder"Verify Fix Applied:
Verify version shows 4.1.4 or higher and check that sensitive data no longer appears in addonbuilder*.log files📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to addonbuilder*.log files
- Sensitive strings (passwords, API keys) in Splunk logs
Network Indicators:
- Unusual outbound connections from Splunk server following log access
SIEM Query:
index=_internal source=*/addonbuilder*.log | search *password* OR *secret* OR *key* OR *token*