Ribeiro found three security vulnerabilities affecting IBM’s QRadar product, one vulnerability CVE-2018-1418 allows remote and unauthenticated attack Bypass authentication and execute arbitrary commands with root privileges. This vulnerability has a CVSS score of 5.6, but the National Vulnerability Database (NVD) of NIST in the US recommends a score of 9.8.
IBM QRadar is an enterprise security information and event management (SIEM) product that helps security analysts identify complex threats in their networks and improve incident remediation measures.
Affected version
- QRadar SIEM 7.3.0 ~ 7.3.1 Patch 2
- QRadar SIEM 7.2.0 ~ 7.2.8 Patch 11
- QRadar SIEM 7.3.1 Patch 3
- 7.2.8 Patch 12
According to Beyond Security, QRadar has a built-in application for forensic analysis of files. Although the program was disabled in Community Edition, its code still exists and some of the code is still valid. The application has two components: the Java Servlet and the main components that use PHP. “This exploit chain abuses both components of the forensics application to bypass authentication and write a file to disk, and then it abuses a cron job to escalate privileges to root.”
Vulnerability assessment and management company Beyond Security has provided technical details and proof of concept (PoC) code for these security breaches.
