Flaws in IBM QRadar Allow Remote Command Execution

guest · May 29, 2018

Flaws in IBM QRadar Allow Remote Command Execution
May 29, 2018
https://www.securityweek.com/flaws-ibm-qradar-allow-remote-command-execution

Independent researcher Pedro Ribeiro discovered that IBM QRadar is affected by three potentially serious vulnerabilities, which he reported to the tech giant through Beyond Security’s SecuriTeam Secure Disclosure program.

IBM has assigned a CVSS score of only 5.6 to the vulnerabilities, which it collectively tracks as CVE-2018-1418. However, the issues seem serious and an advisory in NIST’s National Vulnerability Database (NVD) shows a score of 9.8, which indicates a “critical” severity rating.

The flaw affecting the PHP component requires authentication, but that can be achieved by exploiting the first vulnerability. Chaining these vulnerabilities allows a remote attacker to execute arbitrary commands on the system, but only with low privileges (i.e. “nobody” user). However, Ribeiro discovered a third vulnerability that can be exploited to escalate privileges from “nobody” to root.

Beyond Security has made available technical details and proof-of-concept (PoC) code for these security holes.
Click to expand...

guest · Oct 15, 2020

QRadar: Popular IBM security tool open to remote code execution attacks
Deserialization vulnerability in SIEM product could lead to complete system compromise
October 15, 2020
https://portswigger.net/daily-swig/...ty-tool-open-to-remote-code-execution-attacks

A Java deserialization bug in QRadar, IBM’s enterprise security information and event management (SIEM) platform, allowed hackers to conduct various attacks, including remote code execution.

The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.
If deserialization is not handled properly, hackers can exploit the process to send malicious data to Java application servers.
Click to expand...

Access required
While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions.

“A valid account is needed to trigger the vulnerability. But the account doesn’t require any special permissions. Any account would work,” Koster told The Daily Swig.
Koster published a proof of concept that shows the vulnerability in action, used to conduct an RCE attack.
Click to expand...

Fast patch
Koster found and reported the deserialization vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.
The RemoteJavaScript Servlet was fixed in the latest version of QRadar CE, released in October.
Click to expand...

Log in or Sign up

Flaws in IBM QRadar Allow Remote Command Execution

guest Guest

guest Guest

Log in or Sign up

Flaws in IBM QRadar Allow Remote Command Execution

guest Guest

guest Guest

Useful Searches