CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Flaws in IBM QRadar Allow Remote Command Execution

Three vulnerabilities discovered by a researcher in IBM’s QRadar product can be chained for an exploit that allows a remote and unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

Three vulnerabilities discovered by a researcher in IBM’s QRadar product can be chained for an exploit that allows a remote and unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

IBM QRadar is an enterprise security information and event management (SIEM) product designed to help security analysts identify sophisticated threats on their network and improve incident remediation.

Independent researcher Pedro Ribeiro discovered that IBM QRadar is affected by three potentially serious vulnerabilities, which he reported to the tech giant through Beyond Security’s SecuriTeam Secure Disclosure program.

According to IBM, the security holes impact QRadar SIEM 7.3.0 to 7.3.1 Patch 2, and QRadar SIEM 7.2.0 to 7.2.8 Patch 11. Patches are included in versions 7.3.1 Patch 3 and 7.2.8 Patch 12.

IBM has assigned a CVSS score of only 5.6 to the vulnerabilities, which it collectively tracks as CVE-2018-1418. However, the issues seem serious and an advisory in NIST’s National Vulnerability Database (NVD) shows a score of 9.8, which indicates a “critical” severity rating.

According to Beyond Security, QRadar has a built-in application for performing forensic analysis on files. While the application is disabled in the Community Edition, the code is there and part of it still works.

The application has two components: a Java servlet and the main component, which uses PHP. The first component is affected by a vulnerability that can be exploited to bypass authentication, while the second has a flaw that can be leveraged to download and execute a shell.

The flaw affecting the PHP component requires authentication, but that can be achieved by exploiting the first vulnerability. Chaining these vulnerabilities allows a remote attacker to execute arbitrary commands on the system, but only with low privileges (i.e. “nobody” user). However, Ribeiro discovered a third vulnerability that can be exploited to escalate privileges from “nobody” to root.

Advertisement. Scroll to continue reading.

Beyond Security has made available technical details and proof-of-concept (PoC) code for these security holes.

Ribeiro has found many serious vulnerabilities in the past years, including in products from Netgear, NUUO, Asus, Kaseya and BMC.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.