Hello, welcome to the Monday, June 20th, 2020 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Splunk, late last week, released a critical patch for the Splunk Enterprise Deployment Server. The deployment server is an

optional component, but it's very commonly enabled because it allows you to centrally manage

Splunk forwarders. To accomplish this, the deployment server is able to essentially push

configuration files to Splunk Forwarders and other Splunk instances that are used within an organization.

So it's a simple central configuration tool.

These configuration files may also include binaries that are executed by the recipient of the package.

Now, before you think that this is actually the root of the problem here, it's part of it,

but not really what's causing the vulnerability.

Typically, the deployment server just pushes files out to the forwarder, so code is executed

on the forwarder as instructed by deployment server. The forward itself

should really only receive those files, but the vulnerability that was patched late last week

does allow forwarders to actually execute commands on the Splunk deployment server.

Now, since you typically have these forwarders installed throughout the enterprise on different

endpoints, what this means is if one of those endpoints gets compromised, then an attacker

could use the Splunk forwarder to compromise the deployment server.

And once the deployment server is compromised, then of course the attacker could compromise

the enterprise by pushing malicious configuration from the deployment server.

And of course, these forwarders, they have to read all these log files, which requires

privileges.

So they typically do run as

...