Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

calendar Nov 27, 2023 · cve.2023.46214 detection.emerging_threats attack.lateral_movement attack.t1210  ·
Share on: linkedin copy

Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code

Sigma rule (View on GitHub)

 1title: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
 2id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
 3related:
 4    - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
 5      type: derived
 6status: experimental
 7description: |
 8        Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
 9references:
10    - https://github.com/nathan31337/Splunk-RCE-poc/
11    - https://blog.hrncirik.net/cve-2023-46214-analysis
12    - https://advisory.splunk.com/advisories/SVD-2023-1104
13author: Lars B. P. Frydenskov(Trifork Security)
14date: 2023/11/27
15tags:
16    - cve.2023.46214
17    - detection.emerging_threats
18    - attack.lateral_movement
19    - attack.t1210
20logsource:
21    category: webserver
22detection:
23    selection_method_and_response:
24        cs-method: POST
25        sc-status:
26            - 200
27            - 302
28    selection_uri_upload:
29        cs-uri-stem|contains: '/splunkd/__upload/indexing/preview'
30        cs-uri-query|contains|all:
31            - 'NO_BINARY_CHECK=1'
32            - 'input.path=shell.xsl'
33    selection_uri_search:
34        cs-uri-stem|contains|all:
35            - '/api/search/jobs'
36            - '/results'
37        cs-uri-query|contains|all:
38            - '/opt/splunk/var/run/splunk/dispatch/'
39            - '/shell.xsl'
40    condition: selection_method_and_response and 1 of selection_uri_*
41falsepositives:
42    - Unlikely
43level: high

References

  • GitHub - nathan31337/Splunk-RCE-poc

    Contribute to nathan31337/Splunk-RCE-poc development by creating an account on GitHub.


    Read More

  • Analysis of CVE-2023-46214 + PoC

    CVE-2023-46214 is a Remote Code Execution (RCE) vulnerability found in Splunk Enterprise which was disclosed on November 16, 2023 in the Splunk security advisory SVD-2023-1104. The description of the vulnerability essentially states that Splunk Enterprise versions below 9.0.7 and 9.1.2 are not safely sanitizing user supplied extensible stylesheet language transformations (XSLT).


    Read More

  • Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing

    In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.


    Read More

Related rules

to-top