Splunk Enterprise Deployment Vulnerability Audit

Find Devices Vulnerable to CVE-2022-32158

Splunk released a new security advisory detailing CVE-2022-32158, a vulnerability in the deployment servers for Splunk that allows clients to deploy forwarder bundles to other deployment clients. This can allow attackers that compromise a Universal Forwarded endpoint, to execute arbitrary code on all other Universal Forwarder endpoints part of that deployment server.

The report below provides an overview of all assets in your IT environment that have a Splunk Enterprise instance on it along with details of the assets and the Splunk enterprise server version. Using this data, an indication is given on whether the Splunk instance is vulnerable to CVE-2022-32158 or not.

 

Splunk Enterprise Deployment Vulnerability Query

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.Version,
tblAssets.SP,
tblSoftwareUni.softwareName,
tblSoftwareUni.SoftwarePublisher,
tblSoftware.softwareVersion,
Case
when Len(tblSoftware.softwareVersion) -
Len(Replace(tblSoftware.softwareVersion, '.', '')) = 3 and 
Cast(ParseName(tblSoftware.softwareVersion, 4) As int) < 9 Then
'Vulnerable'
when Len(tblSoftware.softwareVersion) -
Len(Replace(tblSoftware.softwareVersion, '.', '')) = 2 and 
Cast(ParseName(tblSoftware.softwareVersion, 3) As int) < 9 Then
'Vulnerable'
when Len(tblSoftware.softwareVersion) -
Len(Replace(tblSoftware.softwareVersion, '.', '')) = 1 and 
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 9 Then
'Vulnerable'
Else 'Safe'
End As [Vulnerable/Safe],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
when Len(tblSoftware.softwareVersion) -
Len(Replace(tblSoftware.softwareVersion, '.', '')) = 3 and 
Cast(ParseName(tblSoftware.softwareVersion, 4) As int) < 9 Then
'#ffadad'
when Len(tblSoftware.softwareVersion) -
Len(Replace(tblSoftware.softwareVersion, '.', '')) = 2 and 
Cast(ParseName(tblSoftware.softwareVersion, 3) As int) < 9 Then
'#ffadad'
when Len(tblSoftware.softwareVersion) -
Len(Replace(tblSoftware.softwareVersion, '.', '')) = 1 and 
Cast(ParseName(tblSoftware.softwareVersion, 2) As int) < 9 Then
'#ffadad'
Else '#d4f4be'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblSoftware On tblSoftware.AssetID = tblAssets.AssetID
Inner Join dbo.tblSoftwareUni On tblSoftware.softID = tblSoftwareUni.SoftID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblSoftwareUni.softwareName Like '%Splunk enterprise%' And
tblState.Statename = 'Active'
Order By tblAssets.Domain,
tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit