CVE-2023-40598: 
Splunk Enterprise vulnerability analysis and mitigation

In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, a command injection vulnerability (CVE-2023-40598) was discovered that allows attackers to execute arbitrary code on Splunk platform instances. The vulnerability was disclosed on August 30, 2023, and received a CVSS v3.1 base score of 8.8 (High) from NVD and 8.5 (High) from Splunk (NVD, Splunk Advisory).

The vulnerability exploits a legacy internal function through external lookups. Specifically, it involves the deprecated runshellscript command used by scripted alert actions. An attacker can combine this command with external command lookups to inject and execute commands within a privileged context on the Splunk platform instance. The vulnerability has been assigned CWE-306 (Missing Authentication for Critical Function) and CWE-77 (Improper Neutralization of Special Elements used in a Command) (NVD, Splunk Advisory).

If successfully exploited, the vulnerability allows attackers to insert code into the Splunk platform installation directory and subsequently execute arbitrary code on the Splunk platform instance. This could lead to unauthorized access, system compromise, and potential data breaches (SecurityWeek).

The primary mitigation is to upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. For environments where immediate upgrading is not possible, Splunk recommends disabling Splunk Web on indexers in a distributed environment if users don't need to log in to Splunk Web on those indexers. This can be done by following the guidance in the Splunk documentation for disabling unnecessary Splunk Enterprise components (Splunk Advisory).