LTS Secure Warning: Vulnerabilities in IBM QRadar

In a recent development, Pedro Ribeiro a security researcher has reported about vulnerabilities collectively tracked as CVE-2018-1418. These vulnerabilities found in IBM QRadar, allows hackers to bypass authentication and deploy arbitrary commands with root privileges.

The IBM QRadar is an enterprise security information and event management (SIEM) product that collects the logs from log data from Operating system, vulnerabilities, user activities, behaviours and networking devices. It can be deployed as a hardware, software or virtual appliance-based product. According to the National vulnerability, the database provides Critical Severity rating with Base Score: 9.8.

Technical Details

“The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavours of QRadar.” says beyond security.

QRadar Contains a built-in Forensic analysis application that contains two components, one servlet running in Java, and the main web application running PHP.

The exploits chain starts by abusing the first servlet component Forensic Analysis Servlet to bypass authentication that chains to the second vulnerability command injection with the PHP web application. By leveraging PHP web application attackers can download and execute a shell, but with the unprivileged “nobody” user. Technical details can be PoC found in beyond security.

Impact

  • The vulnerability allows a remote attacker to execute arbitrary SQL commands in the web application database.
  • Successful exploitation of the vulnerability may allow an attacker to gain administrative access to the vulnerable web application.
  • The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

Recommended Actions

Pedro also escalated the privileges from limited “nobody” user to root by leveraging a corn job query as a local user. He confirms the vulnerability resides with 7.3.0 and 7.3.1 and all versions released since mid-2014 were affected.

IBM has released patches for Affected Products and Versions IBM QRadar SIEM 7.3.0 to 7.3.1 Patch 2 & IBM QRadar SIEM 7.2.0 to 7.2.8 Patch 11.

 

IBM security bulletin has released a security advisory about Multiple vulnerabilities in IBM on May 1, 2018.