Identifying Asana Desktop Clients Vulnerable to CVE-2023–49314 with Splunk.
One day I received the notification about new vulnerability in Desktop version from Asana. They spoke about CVE-2023–49314. In theory attacker can prepare malicious input for Asana public form and lead code injection on macbook with vulnerable Asana Desktop client.
Since I’m collecting Asana logs I thought I’d look for information on who’s connecting with a version lower than 2.1.2.
The context.user_agent field contains the version. AsanaDesktopOfficial win32_x64/2.1.2 Chrome/120.0.6099.109. What do we need?
- find connections from desktop applications for 6 months.
- extract version from context.user_agent field.
- sort uniq employees by last time.
- exclude 2.1.2 version from search
- match found employees with current employees only.
- prepare CSV for the future tasks in Asana.
My search.
index=asana "context.context_type"=desktop | rex field=context.user_agent "(?<version>\d+\.\d+\.\d+)"
|eval tiime=strptime(created_at, "%Y-%m-%dT%H:%M:%S.%QZ")
| sort 0 - tiime | dedup actor.email | search version!=2.1.2 | dedup actor.email | rename actor.email as username
| lookup ad_users.csv username as username | search enabled=true
| rename username as Assignee
| eval "Task Name"="Upgrade your Asana Desktop App. Urgent"
| eval Description="We have been made aware of a critical security vulnerability (CVE-2023-49314) affecting certain versions of the Asana Desktop Client. To mitigate potential risks and ensure the security of our data and operations, it is imperative that all employees using the Asana Desktop Client perform an immediate upgrade to the latest version."
| eval "Due Date"="2024-02-10"
| table "Task Name",Assignee,Description,"Due Date"
We exported the CSV. Let’s create the tasks for these employees in Asana.
Go to the project and import the resulting CSV.
Hooray. All affected employees have been notified.