Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2013-5448, CVE-2013-6307, CVE-2013-5463)

Flash (Alert)


Abstract

Cross Site Scripting and injection vulnerabilities have been discovered within IBM Security QRadar SIEM.

Content

VULNERABILITY DETAILS:
CVE ID: CVE-2013-5448

DESCRIPTION: A Cross Site Scripting vulnerability has been discovered within the IBM QRadar Security Information and Event Management (SIEM) software in the "Right Click Plugin" context menus for IP information. This issue is only apparent when the plugin menu is enabled (via ip_context_menu.xml file), and is not enabled by default.

The attack requires network access, some specialized knowledge of the system and the attacker does not need to be authenticated by the application. An exploit could impact the integrity of the data, but the availability of the system and confidentiality of information are not compromised.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87912 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECT PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.1
IBM QRadar Security Information and Event Manager (SIEM) 7.2

REMEDIATION:

The vulnerability is fixed in the following versions of QRadar SIEM:
· For QRadar SIEM 7.2 – Install QRadar SIEM 7.2 MR1 Patch 1
· For QRadar SIEM 7.1 – Follow Workaround instructions below (patch to be released on February 3, 2014)

Workaround(s):
The following workaround will work for all versions of the product by disabling the IP Right Click Context Plugin by following the following steps.

1. Using SSH, log in to the IBM QRadar SIEM Console as the root user:
ssh <consoleip>

2. Move the plugin xml file to a backup file.
mv /opt/qradar/conf/ip_context_menu.xml /opt/qradar/conf/ip_context_menu.xml.bak

3. Restart tomcat
service tomcat restart

After these steps have been completed, the plugin menu will be disabled and the system no longer vulnerable to the XSS issue. Once the patch has been applied you can re-enable the plugin menu.

Mitigation(s):
None

ACKNOWLEDGEMENT
This vulnerability was reported to IBM by Stephen Hosom






CVE ID: CVE-2013-6307

DESCRIPTION: A Cross Site Scripting vulnerability has been discovered within the IBM QRadar SIEM software.

The attack requires network access, some specialized knowledge of the system and the attacker does not need to be authenticated by the application. An exploit could impact the integrity of the system, but the availability of the system and confidentiality of information are not compromised.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECT PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.0

REMEDIATION:

The vulnerability is fixed in the following versions of QRadar SIEM:
· QRadar SIEM 7.1 MR2 Patch 3 (or higher)

(NOTE: For QRadar SIEM 7.0 users, contact IBM Support for instructions)

Workaround(s):
None

Mitigation(s):
None

ACKNOWLEDGEMENT
This vulnerability was reported to IBM by azzeddine @ zertox1






CVE ID: CVE-2013-5463

DESCRIPTION: It is possible to bypass protections in the QRadar WinCollect agent, by using a injection based attack. Using such an attack it is possible to inject a malicious dll or configuration into the agent, which can affect the security of the host it is installed on.

The attack requires network access, requires some specialized knowledge or techniques and does not require authentication. An exploit can impact the integrity of the system, availability of the system and confidentiality of information stored within the system.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECT PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) WinCollect Agent prior to v7.1.1

REMEDIATION:

The vulnerability is fixed in the following versions of QRadar SIEM:
· QRadar SIEM WinCollect Agent 7.1.1 (7.1.1.569824-setup.exe or above)

Workaround(s):
None

Mitigation(s):
None

ACKNOWLEDGEMENT
This vulnerability was reported to IBM by Allan A. Klein

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-5448
· CVE-2013-6307
· CVE-2013-5463
· http://xforce.iss.net/xforce/xfdb/87912
· http://xforce.iss.net/xforce/xfdb/88556
· http://xforce.iss.net/xforce/xfdb/88361
· IBM Security Alerts
· QRadar SIEM 7.2 MR1 Patch 1
· QRadar SIEM 7.1 MR2 Patch 3
· QRadar SIEM WinCollect Agent 7.1.1



RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog




CHANGE HISTORY:

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security QRadar SIEM
General Information

Software version:

7.0, 7.1, 7.2

Operating system(s):

Linux, Windows

Reference #:

1656875

Modified date:

2014-02-14

Translate my page

Machine Translation

Content navigation