Splunk released a new security advisory detailing CVE-2022-32158, a vulnerability in the deployment servers for Splunk that allows clients to deploy forwarder bundles to other deployment clients. This can allow attackers that compromise a Universal Forwarded endpoint, to execute arbitrary code on all other Universal Forwarder endpoints part of that deployment server.
The vulnerability received a CVSS base score of 9.0. Splunk enterprise customers are urged to upgrade their Splunk Enterprise deployments servers to version 9.0 as soon as possible. While no exploitation has been detected yet, all versions below 9 are vulnerable so it is only a matter of time before exploits are attempted.
The CIS advisory adds additional mitigation details that can also be taken including:
- Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Restrict execution of code to a virtual environment on or in transit to an endpoint system.
- Block execution of code on a system through application control, and/or script blocking.
- Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
Discover Vulnerable Devices
We've created a special Lansweeper report that will provide a list of all devices in your environment that are running a Splunk enterprise instance with a version lower than 9.0. The report is color-coded so you can easily identify an asset's vulnerability status.
Integrate with Splunk
Lansweeper has multiple integrations with Splunk products, if you're looking to utilize Lansweeper's data in Splunk products you can do so in multiple ways.