Deserialization vulnerability in SIEM product could lead to complete system compromise
The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.
Java client applications convert objects into streams of bytes – or ‘serialize’ them – and send them to servers, which deserialize them into their original structure before processing.
If deserialization is not handled properly, hackers can exploit the process to send malicious data to Java application servers.
Securify’s Yorick Koster, who reported the bug to IBM, found it in the JSON-RPC implementation of QRadar’s Servlet.
“No checks have been implemented to prevent deserialization of arbitrary objects.
“Consequently, an authenticated user can call one of the affected methods and cause the Servlet to deserialize arbitrary objects,” Koster writes, adding that an attacker could exploit this vulnerability by sending a specially crafted object and conduct “denial of service, change of system settings, or execution of arbitrary code”.
While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions.
“A valid account is needed to trigger the vulnerability. But the account doesn’t require any special permissions. Any account would work,” Koster told The Daily Swig.
Koster published a proof of concept that shows the vulnerability in action, used to conduct an RCE attack.
“The code will run as the ‘nobody’ user. You could chain it with a local privilege escalation vulnerability to completely compromise the system,” Koster said.
“Running arbitrary code as ‘nobody’ allows you to pretty much do everything the QRadar application can do, like gaining access to alert data, which could be sensitive.”
Koster found and reported the deserialization vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.
The Servlet was fixed in the latest version of QRadar CE, released in October.
“This particular issue was the last remaining open issue. I guess it was harder to fix as it affects their entire JSON-RPC API,” he said.
“I was surprised that I could find quite a number of issues in a relatively short amount of time within a security product. It’s sad to see that even the security industry fails at creating secure applications.”
YOU MAY ALSO LIKE Researchers discover scores of security bugs in Apple’s stem and core