QRadar: Popular IBM security tool open to remote code execution attacks

Deserialization vulnerability in SIEM product could lead to complete system compromise

QRadar: Popular IBM security tool open to remote code execution attacks

A Java deserialization bug in QRadar, IBM’s enterprise security information and event management (SIEM) platform, allowed hackers to conduct various attacks, including remote code execution.

The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.

Java client applications convert objects into streams of bytes – or ‘serialize’ them – and send them to servers, which deserialize them into their original structure before processing.

If deserialization is not handled properly, hackers can exploit the process to send malicious data to Java application servers.

Read more of the latest security vulnerability news

Securify’s Yorick Koster, who reported the bug to IBM, found it in the JSON-RPC implementation of QRadar’s Servlet.

According to Koster’s findings, some of the methods in the RemoteJavaScript Servlet use the class, which does not perform any checks when deserializing passed objects.

“No checks have been implemented to prevent deserialization of arbitrary objects.

“Consequently, an authenticated user can call one of the affected methods and cause the Servlet to deserialize arbitrary objects,” Koster writes, adding that an attacker could exploit this vulnerability by sending a specially crafted object and conduct “denial of service, change of system settings, or execution of arbitrary code”.

Access required

While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions.

“A valid account is needed to trigger the vulnerability. But the account doesn’t require any special permissions. Any account would work,” Koster told The Daily Swig.

Koster published a proof of concept that shows the vulnerability in action, used to conduct an RCE attack.

“The code will run as the ‘nobody’ user. You could chain it with a local privilege escalation vulnerability to completely compromise the system,” Koster said.

“Running arbitrary code as ‘nobody’ allows you to pretty much do everything the QRadar application can do, like gaining access to alert data, which could be sensitive.”

Fast patch

Koster found and reported the deserialization vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.

The Servlet was fixed in the latest version of QRadar CE, released in October.

“This particular issue was the last remaining open issue. I guess it was harder to fix as it affects their entire JSON-RPC API,” he said.

“I was surprised that I could find quite a number of issues in a relatively short amount of time within a security product. It’s sad to see that even the security industry fails at creating secure applications.”

YOU MAY ALSO LIKE Researchers discover scores of security bugs in Apple’s stem and core

Source link

Recent articles

Blair Witch: From Iconic Horror Movie To Immersive VR Experience

When the Blair Witch game was first announced, fans of the iconic horror movie franchise were eager to see what the story would...

What’s New on Netflix AU This Week & Top 10s: October 30th, 2020

His House now on Netflix – Picture: Netflix A very very quiet week for Netflix Australia new releases this week especially when compared to...

NEWS: Disney World Releases Park Hours Through Mid-January 2021

We’ve been making our way around Disney World and...

Monsta’s PSA Goes Viral – Reminds Viewers to Practice CAPP to Defeat COVID-19

Monsta's popular animated superhero BoBoiBoy is teaming up with Malaysia's Director General of Health, Tan Sri Dr. Noor Hisham Abdullah in a...

US claims Iranian hackers accessed voter information | United States

Iranian officials have denied hacking claims, saying it makes no difference to them whether Trump or Biden wins.United States officials said late Friday...

Europe Risks a New Economic Downturn as Lockdowns Return

“We are completely reliant on the development of the virus,” said Sylvain Broyer, chief economist at S&P Global Ratings in Europe.The volatile growth...

Leave a reply

Please enter your comment!
Please enter your name here