In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Splunk Enterprise and Cloud Platform are vulnerable to a denial-of-service (DoS) attack. A low-privileged user can exploit a path traversal vulnerability in the User Interface - Views configuration to delete arbitrary files, potentially disrupting Splunk's functionality by tricking an administrator into initiating a malicious request.
Step 1: Payload Creation: The low-privileged user crafts a malicious payload. This payload is designed to exploit the path traversal vulnerability by including path traversal sequences (e.g., ../) in the file deletion request within the User Interface - Views configuration. This payload is likely encoded or obfuscated to evade initial detection.
Step 2: Social Engineering: The low-privileged user must trick an administrator into initiating the malicious request. This is likely achieved through social engineering techniques, such as phishing emails or malicious links. The administrator must be logged into Splunk and have the necessary privileges to trigger the vulnerability.
Step 3: Request Initiation: The administrator, tricked by the social engineering, clicks on a malicious link or performs an action that triggers the crafted request within their browser. This request is sent to the Splunk server.
Step 4: File Deletion: The Splunk server, due to the path traversal vulnerability, processes the request and attempts to delete the files specified in the payload. Because of the lack of input validation, the server deletes the files specified by the attacker, potentially including critical Splunk files.
Step 5: Denial of Service: The deletion of critical files leads to a denial of service, rendering Splunk partially or completely unusable.
The vulnerability stems from insufficient input validation when handling file paths within the User Interface - Views configuration. Specifically, the application fails to properly sanitize user-supplied input related to file deletion operations, allowing a low-privileged user to craft a payload containing path traversal sequences (e.g., ../) to navigate outside the intended directory. This leads to the deletion of critical Splunk files, causing a DoS. The root cause is a missing or inadequate check on the file path before deletion, allowing the attacker to specify arbitrary files within the Splunk directory for removal. The vulnerability relies on a path traversal flaw, combined with a lack of proper access control checks for file deletion operations. The attack is triggered by a crafted request initiated by an administrator, highlighting a cross-site request forgery (CSRF) component.