CVE-2022-32155

Universal Forwarder management services allows remote login by default

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In universal forwarder versions before 9.0, management services are available remotely by default. When not required, it introduces a potential exposure, but it is not a vulnerability. If exposed, we recommend each customer assess the potential severity specific to your environment. In 9.0, the universal forwarder now binds the management port to localhost preventing remote logins by default. If management services are not required in versions before 9.0, set disableDefaultPort = true in server.conf OR allowRemoteLogin = never in server.conf OR mgmtHostPort = localhost in web.conf. See Configure universal forwarder management security (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) for more information on disabling the remote management services.

En forwarder universal versiones anteriores a 9.0, los servicios de administración están disponibles de forma remota por defecto. Cuando no es requerido, introduce una exposición potencial, pero no es una vulnerabilidad. Si es expuesta, recomendamos que cada cliente evalúe la gravedad potencial específica de su entorno. En versión 9.0, el reenviador universal vincula ahora el puerto de administración a localhost, lo que impide el inicio de sesión remoto por defecto. Si los servicios de administración no son necesarios en versiones anteriores a 9.0, establezca disableDefaultPort = true en server.conf O allowRemoteLogin = never en server.conf O mgmtHostPort = localhost en web.conf. Consulte Configurar la seguridad de la administración del reenviador universal (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security) para obtener más información sobre la deshabilitación de los servicios de administración remota

*Credits: Chris Green at Splunk

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-31 CVE Reserved
2022-06-15 CVE Published
2024-01-06 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/EnableTLSCertHostnameValidation#Configure_universal_forwarder_management_security	2022-06-24
https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/Updates	2022-06-24
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0605.html	2022-06-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Splunk Search vendor "Splunk"		Splunk Search vendor "Splunk" for product "Splunk"				< 9.0 Search vendor "Splunk" for product "Splunk" and version " < 9.0"		enterprise		Affected
Splunk Search vendor "Splunk"		Splunk Cloud Platform Search vendor "Splunk" for product "Splunk Cloud Platform"				< 8.2.2106 Search vendor "Splunk" for product "Splunk Cloud Platform" and version " < 8.2.2106"		-		Affected