Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0044 Splunk Enterprise and Splunk Light version 6.2.3 correct multiple vulnerabilities 5 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Splunk Enterprise Splunk Light Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-1787 CVE-2015-0293 CVE-2015-0292 CVE-2015-0291 CVE-2015-0290 CVE-2015-0289 CVE-2015-0288 CVE-2015-0287 CVE-2015-0286 CVE-2015-0285 CVE-2015-0209 CVE-2015-0208 CVE-2015-0204 Member content until: Thursday, June 4 2015 Reference: ASB-2015.0035 ASB-2015.0031 ASB-2015.0027 ESB-2015.1200 ESB-2015.1189 ESB-2015.1139 OVERVIEW A number of vulnerabilities have been identified in Splunk Enterprise and Splunk Light prior to version 6.2.3. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "Multiple vulnerabilities in OpenSSL before 1.0.1m (SPL-98531) Description: Splunk Enterprise 6.2.x before 6.2.3 and Splunk Light 6.2.x before 6.2.3 are affected by multiple OpenSSL vulnerabilities resolved by OpenSSL 1.0.1m. The most severe of these issues could result in a crash during TLS connections". [1] The above OpenSSL vulnerabilities have been detailed as follows: "CVE-2015-0291: If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. CVE-2015-0204: This security issue was previously announced by the OpenSSL project and classified as "low" severity. This severity rating has now been changed to "high". CVE-2015-0290: OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of "multiblock" can cause OpenSSL's internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used thenit is likely that a segmentation fault will be triggered, thus enabling apotential DoS attack. CVE-2015-0286: The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. CVE-2015-0208: The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. CVE-2015-0287: Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. CVE-2015-0289: The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. CVE-2015-0292: A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data. Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption. This was addressed in previous versions of OpenSSL but has not been included in any security advisory until now. CVE-2015-0293: A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. CVE-2015-1787: If client auth is used then a server can seg fault in the event of a DHE ciphersuite being selected and a zero length ClientKeyExchange message being sent by the client. This could be exploited in a DoS attack. CVE-2015-0285: Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with an unseeded PRNG. If the handshake succeeds then the client random that has been used will have been generated from a PRNG with insufficient entropy and therefore the output may be predictable. CVE-2015-0209: A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare. CVE-2015-0288: The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice". [2] "Secure flag inconsistently set for session cookies with appServerPorts!=0 (SPL-95798) Description: When using Splunk Web with SSL enabled, the secure flag is not consistently set for all URL paths. This vulnerability affects versions of Splunk Enterprise 6.2.x before 6.2.3 and Splunk Light before 6.2.3. This vulnerability could lead to leaking session cookies over HTTP when a user visits specific URLs. Cross-site scripting in Search (SPL-95798) Description: The Splunk Enterprise 6.2.x search functionality contains a cross-site scripting vulnerability. This can be triggered by user-interaction or via malicious search data.This vulnerability affects versions of Splunk Enterprise 6.2.x before 6.2.3 and Splunk Light before 6.2.3. This vulnerability could lead to leaking session cookies over HTTP when a user visits a series of attacker controlled URLs. Cross-site scripting in management and configuration (SPL-93516) Description: Splunk Enterprise 6.2.x before 6.2.3, 6.1.x before 6.1.7, 6.0.x before 6.0.8, and 5.0.x before 5.0.12 and Splunk Light before 6.2.3 contain a reflected cross-site scripting vulnerability in the management and configuration pages. This could allow an attacker to perform actions in the user context via a crafted URL". [1] MITIGATION It is recommended that users update to the latest versions of Splunk Enterprise and Splunk Light to correct these issues. [1] REFERENCES [1] Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilities http://www.splunk.com/view/SP-CAAANZ7 [2] penSSL Security Advisory [19 Mar 2015] https://openssl.org/news/secadv_20150319.txt AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVUgbTRLndAQH1ShLAQKzyg//U22JXn4u4KX/mkijudfC8DUBaygxkaVf /PPcDTYrJegUmcJWs/y3+4LjPbzGqFwJAeIgQsQAXNOyJKoe4It1JvWVDJpX4H9Q cjgBkOeYyOxSsmZp32P5AhptAH7xFRz9IzBW6anvzGfOMU+LoVjpdzKJjVdnYIUm 8BJNfqlLeu8/YrS2Q6gk92DmSo+0uTZOZsAM3cBfGJzmQ/QUjKcNzxLTR8UcQl38 OtgQzI4jGOEHu0qvmwZIzJoXNGdUBeH9KnVfq4hcoRAff9GTzbggbzgvjxE7bygc LTH489lNwscWheuCEMnTrsAO6LJxneCPU7cVBYu5vJhYcd/FpFTihbuyJY56nkks G7mIPWm83wrKLRmC2VPakoIFfUHomd39iO192aPJbbVewf9MBshmHAufMnUw09p6 rbKGlBKCFWd2hdYcEPQed3CFKoscEy7t9NW5GADPWW/ABCzABZAISXPk7pHxL5o/ aX2IaUFCHi3yVqNZQQY121+JPWWDL1qA9xcn8+oqX0JrjD0gf1YubkMsJHKK6A0/ GzEb5Jn3LQmuvrLdoaEg8M4CqmwTFeaQVIyhkRVlmuq9hJKT9M1EG4JZcB8IUbr1 ge6PVxnXio+DjbF0NMc1dW/DkND6fGvT5oO4zdRV5ojBmZHWbZl6lqFbyPz6Md02 lLu9Pwvq/Fc= =8q7C -----END PGP SIGNATURE-----