IBM QRadar Authentication Bypass: CVE-2018-1418

Multiple vulnerabilities in IBM QRadar have been disclosed. Upon successful exploitation an attacker can bypass authentication and achieve remote code execution. CVE-2018-1418 has been assigned to track this vulnerability. IBM Qradar is an SIEM tool used to detect and analyze security anomalies. The issue affects QRadar SIEM 7.3.0 to 7.3.1 Patch 2 and 7.2.0 to 7.2.8 Patch 11. IBM has addressed this vulnerability in SWG22015797.  CVE-2018-1418 covers Authentication bypass, Command injection and Elevation of privilege. A PoC for this vulnerability is available online.

As mentioned earlier a combination of vulnerabilities are exploited to gain code execution at root level. QRadar contains a main application module called ‘console’ and many helper modules for various operations.

Authentication Bypass:
In QRadar the authentication is done via SEC cookies, it can be obtained by login, using previously created token or from the host.token file. Forensic Analysis (ForensicsAnalysisServlet) is a helper module which stores the SEC cookies in a hashmap. Before committing any actions is validates this cookie with the main application. To use the ForensicsAnalysisServlet a user needs to register SEC and QRadarCSRF tokens by calling setSecurityTokens().
doGetOrPost() handles the requests for ForensicsAnalysisServlet.
If we send a parameter forensicsManagedHostIps along with setSecurityTokens, these user tokens are added to the hashmap before validating with the main application.

Command Injection:
The PHP part of the application does not authenticate requests coming from the local host. To exploit this we use the get function in file.php, Especially the pcapArray code flow. The code ZIPs the pcap files before further processing. Due to improper checks of file names, it will allow us to execute commands as ‘nobody’.

Elevation of Privilege:
We use a cron job that executes as root to run our code. The cron job checks the database and executes the entries at root level. By command injection we can dump our code in /store/configservices/* which is accessible by ‘nobody’ account.

Please apply the latest patches from IBM to address CVE-2018-1418. Qualys customers can scan their network with QID: 370928 to detect vulnerable machines.

Please continue to follow Qualys Threat Protection for information on various vulnerabilities.

Security Bulletin: IBM QRadar Incident Forensics, as found in IBM QRadar SIEM, is vulnerable to an authentication bypass leading to remote command injection. (CVE-2018-1418)
SSD Advisory – QRadar Remote Command Execution

Leave a Reply

Your email address will not be published. Required fields are marked *