Potential CVE-2023-46214 Exploitation Attempt

calendar Nov 27, 2023 · attack.lateral_movement attack.t1210 cve.2023.46214 detection.emerging_threats  ·
Share on: linkedin copy

Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-46214 Exploitation Attempt
 2id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
 3related:
 4    - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
 5      type: derived
 6status: experimental
 7description: |
 8        Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
 9references:
10    - https://github.com/nathan31337/Splunk-RCE-poc/
11    - https://blog.hrncirik.net/cve-2023-46214-analysis
12    - https://advisory.splunk.com/advisories/SVD-2023-1104
13author: Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT)
14date: 2023/11/27
15tags:
16    - attack.lateral_movement
17    - attack.t1210
18    - cve.2023.46214
19    - detection.emerging_threats
20logsource:
21    category: webserver
22detection:
23    selection:
24        cs-method: POST
25        cs-uri-query|contains|all:
26            - 'NO_BINARY_CHECK=1'
27            - 'input.path'
28        cs-uri-query|endswith: '.xsl'
29        sc-status:
30            - 200
31            - 302
32    condition: selection
33falsepositives:
34    - Unknown
35level: medium

References

  • GitHub - nathan31337/Splunk-RCE-poc

    Contribute to nathan31337/Splunk-RCE-poc development by creating an account on GitHub.


    Read More

  • Analysis of CVE-2023-46214 + PoC

    CVE-2023-46214 is a Remote Code Execution (RCE) vulnerability found in Splunk Enterprise which was disclosed on November 16, 2023 in the Splunk security advisory SVD-2023-1104. The description of the vulnerability essentially states that Splunk Enterprise versions below 9.0.7 and 9.1.2 are not safely sanitizing user supplied extensible stylesheet language transformations (XSLT).


    Read More

  • Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing

    In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.


    Read More

Related rules

to-top