CVE-2023-40596 Overview
CVE-2023-40596 affects Splunk Enterprise on Windows. A dynamic link library (DLL) shipped with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker with local access can plant malicious code at the referenced path to achieve privilege escalation on the Windows host. The vulnerability is tracked under [CWE-427] (Uncontrolled Search Path Element) and [CWE-665] (Improper Initialization). Splunk addressed the issue in versions 8.2.12, 9.0.6, and 9.1.1.
Critical Impact
A local low-privileged user can escalate to the privileges of the Splunk service by writing a malicious file to the insecure OPENSSLDIR path that the bundled DLL trusts at runtime.
Affected Products
- Splunk Enterprise versions earlier than 8.2.12
- Splunk Enterprise versions earlier than 9.0.6
- Splunk Enterprise version 9.1.0 (fixed in 9.1.1) on Microsoft Windows
Discovery Timeline
- 2023-08-30 - CVE-2023-40596 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-40596
Vulnerability Analysis
The vulnerability stems from how a DLL bundled with Splunk Enterprise was compiled. During the build process for the OpenSSL component, the OPENSSLDIR macro was set to a directory path that is writable or controllable by non-administrative users on Windows. At runtime, the DLL consults OPENSSLDIR to locate configuration files such as openssl.cnf and engine modules. Because the path resolves outside a protected system location, an attacker can introduce a malicious configuration file or supporting binary that the Splunk process loads. The Splunk service typically runs with elevated privileges, so any code loaded through this path executes in a higher security context than the attacker's own session.
Root Cause
The root cause is an insecure compile-time constant. The OPENSSLDIR build definition was set to a path that does not enforce administrative-only write access. This violates the principle that trusted configuration sources must reside in locations protected from low-privileged users. The flaw maps to [CWE-427] because the loader trusts an attacker-influenced search path, and [CWE-665] because security-relevant initialization data is drawn from an unsafe location.
Attack Vector
Exploitation requires local access with low privileges on the Windows machine running Splunk Enterprise. The attacker writes a crafted openssl.cnf file or a malicious engine DLL into the path referenced by OPENSSLDIR. When the Splunk service or a Splunk-invoked process loads the bundled OpenSSL DLL, it parses the attacker-controlled configuration and loads referenced modules. This results in code execution under the Splunk service account, yielding privilege escalation. User interaction is not required, and the scope changes because the compromised process operates with privileges beyond the attacker's original context. See the Splunk Security Advisory SVD-2023-0805 for vendor-confirmed technical details.
Detection Methods for CVE-2023-40596
Indicators of Compromise
- Unexpected openssl.cnf files, engine DLLs, or provider modules appearing in the OPENSSLDIR path referenced by the Splunk-shipped OpenSSL DLL.
- Splunk service processes (splunkd.exe, splunk.exe) loading DLLs from non-standard, user-writable directories.
- New child processes spawned by splunkd.exe that execute commands or shells inconsistent with normal Splunk operation.
Detection Strategies
- Audit file creation events in any non-administrative path referenced by the bundled OpenSSL DLL using Windows Sysmon Event ID 11.
- Hunt for module load events (Sysmon Event ID 7) where splunkd.exe loads DLLs from user-writable locations.
- Compare installed Splunk Enterprise versions against fixed releases 8.2.12, 9.0.6, and 9.1.1 across the Windows fleet.
Monitoring Recommendations
- Forward Sysmon, Windows Security, and Splunk service logs to a central analytics platform for correlation of file writes and process creation under the Splunk account.
- Alert on privilege escalation patterns where a low-privileged user's file write is followed by code execution under LocalSystem or the Splunk service account.
- Maintain an inventory of Splunk Enterprise hosts and continuously validate patch status against SVD-2023-0805.
How to Mitigate CVE-2023-40596
Immediate Actions Required
- Upgrade Splunk Enterprise to version 8.2.12, 9.0.6, 9.1.1, or later on all Windows hosts.
- Restrict interactive and remote access to Splunk Enterprise Windows servers to administrators only, reducing the local attacker pool.
- Review the OPENSSLDIR path on affected systems and remove any files that were not placed by an authorized installer.
Patch Information
Splunk released fixed builds in versions 8.2.12, 9.0.6, and 9.1.1. The patched releases rebuild the bundled OpenSSL DLL with a secure OPENSSLDIR value that points to a protected location. Refer to the Splunk Security Advisory SVD-2023-0805 for download links and version-specific guidance.
Workarounds
- If immediate patching is not feasible, apply NTFS access control lists to deny write access for non-administrative users on the insecure OPENSSLDIR path.
- Enforce Windows application control policies, such as AppLocker or Windows Defender Application Control, to block unsigned DLLs from loading into splunkd.exe.
- Limit membership of local user groups on Splunk Windows servers and remove unnecessary interactive logon rights.
# Example: restrict write access on the insecure OPENSSLDIR path (PowerShell)
$Path = 'C:\Path\Referenced\By\OPENSSLDIR'
icacls $Path /inheritance:r
icacls $Path /grant:r 'Administrators:(OI)(CI)F' 'SYSTEM:(OI)(CI)F'
icacls $Path /grant:r 'Users:(OI)(CI)RX'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
