Splunk Active Directory 支持插件 (SA-ldapsearch) 中的正则表达式拒绝服务 (ReDoS)

攻击者可以利用 CVE-2025-0367 漏洞发送精心构造的 LDAP 查询，触发正则表达式引擎的过度消耗，导致 Splunk Supporting Add-on for Active Directory 服务崩溃或变得无响应。这可能导致监控中断、数据丢失以及对依赖于该插件的 Splunk 实例的可用性影响。由于该插件通常用于 Active Directory 集成，攻击者可能能够通过该漏洞间接影响 Active Directory 域的稳定性。虽然该漏洞的直接影响可能仅限于插件本身，但其潜在的间接影响不容忽视。

Organizations heavily reliant on Splunk for Active Directory monitoring are particularly at risk. Environments with complex Active Directory structures and frequent LDAP queries are more susceptible to DoS attacks. Security teams using the Splunk Supporting Add-on for Active Directory to automate security tasks or incident response are also at heightened risk, as a DoS condition could disrupt these critical functions.

• linux / server: Monitor system resource usage (CPU, memory) for unusual spikes, especially during LDAP query processing. Use top, htop, or similar tools to identify processes consuming excessive resources.

top

• linux / server: Examine Splunk logs for errors related to LDAP queries or regular expression processing. Look for patterns indicative of excessive backtracking or resource exhaustion.

journalctl -u splunk | grep -i "regex" -i "ldap"

• generic web: If the add-on exposes any web interfaces, monitor for unusual request patterns or error rates that might correlate with LDAP query processing.

1. 2025-01-30Disclosure

   disclosure

1. 已保留2025-01-09
2. 发布日期2025-01-30
3. 修改日期2025-02-12
4. EPSS 更新日期2026-04-02

最有效的缓解措施是立即将 Splunk Supporting Add-on for Active Directory 升级至 3.1.1 或更高版本。如果升级不可行，可以尝试限制插件的 LDAP 查询速率，以减少 DoS 攻击的可能性。此外，可以考虑使用 Web 应用防火墙 (WAF) 或代理服务器来过滤恶意 LDAP 查询。虽然无法完全阻止攻击，但这些措施可以降低风险。升级后，请验证插件是否正常运行，并检查 Splunk 实例的日志中是否存在异常活动。