CVE-2023-40596: 
Splunk Enterprise vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-40596) was discovered in Splunk Enterprise affecting versions earlier than 8.2.12, 9.0.6, and 9.1.1. The vulnerability stems from a dynamic link library (DLL) that ships with Splunk Enterprise which references an insecure path for the OPENSSLDIR build definition. This vulnerability was assigned a CVSS score of 7.0 (High) and primarily affects Windows-based installations (Splunk Advisory, SecurityWeek).

The vulnerability occurs during the creation of DLL files within a Splunk Enterprise installation. When a build definition reference is not provided, the build system defaults to using the local directory on the build system. In this case, the OPENSSLDIR definition was not explicitly provided at build time, resulting in an insecure path being encoded into the affected DLL file. The vulnerability has been assigned a CVSS v3.1 base score of 7.0 with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (Splunk Advisory).

An attacker who successfully exploits this vulnerability can determine the insecure directory path and create a malicious directory structure locally on the Splunk Enterprise instance. This allows them to install malicious code within this directory structure, potentially leading to privilege escalation on the affected Windows machine (SecurityOnline, Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. For organizations unable to upgrade immediately, Splunk recommends restricting the permissions of the user that runs the splunkd process to core functionality. Users should review the Harden Your Windows Installation guide for additional security measures. This vulnerability does not affect Splunk Cloud Platform (Splunk Advisory).