Splunk feature(?) to fingerprint OS patch level

Splunk has at least three interesting API endpoints which are called after login.
They are providing server details about it’s OS patch level.

I don’t know if it’s a feature and no vulnerability that those endpoints are reporting server details.
But this information gives details if administrative tasks are taken seriously to keep the system up to date.

http://vmu2004:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json
http://vmu2004:8000/en-US/splunkd/__raw/services/srver/info?output_mode=json
http://vmu2004:8000/en-US/splunkd/__raw/services/workloads/status?output_mode=json

While the first two are giving back some more details about hardware CPU & RAM, all three providing the OS patch level

"os_build":"#132~20.04.1-Ubuntu SMP Fri Aug 30 15:50:07 UTC 2024",
"os_name":"Linux",
"os_name_extended":"Linux",
"os_version":"5.15.0-122-generic",

If Splunk version is up-to-date but kernel would be older than 1,5 years you could find other vulnerabilities on the system.

Security vulnerabilities are often abstract and if you can’t see how easy some of them are to exploit, you can’t raise awareness.
It’s actually hard to argue sometimes: Please do the update because there seem to be vulnerabilities.
But it is very easy if you can say: Look this vulnerability is just as easy to exploit.
That shortens many discussions extremely.

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

Written on November 4, 2024 | Last modified on November 4, 2024