Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Flaws in IBM QRadar Allow Remote Command Execution

Three vulnerabilities discovered by a researcher in IBM’s QRadar product can be chained for an exploit that allows a remote and unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

Three vulnerabilities discovered by a researcher in IBM’s QRadar product can be chained for an exploit that allows a remote and unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

IBM QRadar is an enterprise security information and event management (SIEM) product designed to help security analysts identify sophisticated threats on their network and improve incident remediation.

Independent researcher Pedro Ribeiro discovered that IBM QRadar is affected by three potentially serious vulnerabilities, which he reported to the tech giant through Beyond Security’s SecuriTeam Secure Disclosure program.

According to IBM, the security holes impact QRadar SIEM 7.3.0 to 7.3.1 Patch 2, and QRadar SIEM 7.2.0 to 7.2.8 Patch 11. Patches are included in versions 7.3.1 Patch 3 and 7.2.8 Patch 12.

IBM has assigned a CVSS score of only 5.6 to the vulnerabilities, which it collectively tracks as CVE-2018-1418. However, the issues seem serious and an advisory in NIST’s National Vulnerability Database (NVD) shows a score of 9.8, which indicates a “critical” severity rating.

According to Beyond Security, QRadar has a built-in application for performing forensic analysis on files. While the application is disabled in the Community Edition, the code is there and part of it still works.

The application has two components: a Java servlet and the main component, which uses PHP. The first component is affected by a vulnerability that can be exploited to bypass authentication, while the second has a flaw that can be leveraged to download and execute a shell.

The flaw affecting the PHP component requires authentication, but that can be achieved by exploiting the first vulnerability. Chaining these vulnerabilities allows a remote attacker to execute arbitrary commands on the system, but only with low privileges (i.e. “nobody” user). However, Ribeiro discovered a third vulnerability that can be exploited to escalate privileges from “nobody” to root.

Advertisement. Scroll to continue reading.

Beyond Security has made available technical details and proof-of-concept (PoC) code for these security holes.

Ribeiro has found many serious vulnerabilities in the past years, including in products from Netgear, NUUO, Asus, Kaseya and BMC.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...