IBM QRadar Vulnerabilities Explained
IBM has issued a security bulletin addressing critical vulnerabilities in its QRadar Suite Software. These vulnerabilities could be exploited for remote code execution and denial of service (DoS) attacks, posing significant threats to cybersecurity.
What is IBM QRadar?
IBM QRadar is a sophisticated cybersecurity platform that combines multiple tools for threat detection, incident response, and compliance management. It includes SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) functionalities. Its primary purpose is to help organizations identify and manage security threats effectively.
Software Versions Affected
The vulnerabilities affect the following versions:
- QRadar Suite Software: Versions 1.10.12.0 to 1.10.23.0
- IBM Cloud Pak for Security: Versions 1.10.0.0 to 1.10.11.0
Key Vulnerabilities
Node.js jose Module (CVE-2024-28176)
A flaw in the Node.js jose module during JWE Decryption operations can lead to a denial of service. An attacker can exploit this by sending specific requests that cause excessive CPU or memory usage.
Jinja Cross-Site Scripting (CVE-2024-34064)
The Jinja template engine is vulnerable to cross-site scripting attacks. Attackers could inject malicious code into web pages, potentially compromising user authentication credentials.
idna Module Denial of Service (CVE-2024-3651)
A vulnerability in the idna module can be exploited locally to cause a denial of service by consuming system resources with crafted input.
Plaintext Credential Storage (CVE-2024-25024)
QRadar Suite stores user credentials in plaintext, risking unauthorized local access to sensitive information.
gRPC on Node.js Denial of Service (CVE-2024-37168)
A flaw in gRPC memory allocation on Node.js allows attackers to create a denial of service condition by sending crafted messages.
Node.js undici Information Disclosure (CVE-2024-30260)
The undici module on Node.js may expose sensitive information through improper handling of Authorization headers.
Node.js undici Security Bypass (CVE-2024-30261)
A flaw in the fetch integrity in Node.js undici can bypass security checks, accepting tampered requests.
Improper Data Display (CVE-2024-28799)
QRadar Suite improperly displays sensitive backend data, leading to potential information leaks.
Arbitrary Code Execution in fast-loops (CVE-2024-39008)
The fast-loops vulnerability permits remote code execution through prototype pollution, a severe risk that could result in arbitrary code execution.
Node.js ip Module SSRF (CVE-2024-29415)
A flaw in the Node.js ip module can enable server-side request forgery (SSRF) attacks due to improper IP address handling.
Mitigation Steps
IBM strongly recommends upgrading to version 1.10.24.0 or later as no other workarounds are available. Prompt updates are crucial to protect against these vulnerabilities.
