Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0127
Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM
(CVE-2014-0838, CVE-2014-0835, CVE-2014-0836, CVE-2014-0837)
31 January 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0838 CVE-2014-0837 CVE-2014-0836
CVE-2014-0835
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=%20swg21663066
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities in IBM QRadar SIEM (CVE-2014-0838,
CVE-2014-0835, CVE-2014-0836, CVE-2014-0837)
Flash (Alert)
Abstract
Document information
More support for:
IBM Security QRadar SIEM
Software version:
7.0, 7.1, 7.2
Operating system(s):
Linux, Windows
Reference #:
1663066
Modified date:
2014-01-29
Multiple vulnerabilities exist in the AutoUpdate settings page and the
AutoUpdate process within the IBM QRadar SIEM that when used together could
result in remote code execution.
Content
VULNERABILITY DETAILS:
CVE ID:
CVE-2014-0838
DESCRIPTION: A flaw in the IBM QRadar Security Information and Event Management
(SIEM) AutoUpdate process could allow for remote commands to be run on the
console. The server first needs to be either compromised or changed to the
attacker's server by the way of the Cross-Site Request Forgery (CVE-2014-0835),
Cross-Site Scripting (CVE-2014-0836) or the Incorrect Handling of
SSL(CVE-2014-0837) described below. The attack does not require local network
access or authentication but specialized knowledge and techniques are required.
An exploit can compromise the confidentiality of information, the integrity of
data and availability of the system.
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90681 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.2 MR1 and earlier
REMEDIATION:
An AutoUpdate packto fix this vulnerability is available commencing on January
28, 2014. To install this AutoUpdate package please do the following:
Open a new broswer session ensuring that all other websites are closed.
Navigate to the QRadar Console IP and log into the system as an
administrator.
Open the "Admin" Tab, and click the 'Auto Update' button under 'System
Configuration'.
Once the Auto Update settings page appears click 'Change Settings' and
click the 'Advanced' tab.
Ensure that the proper 'Web Server' (default: https://qmmunity.q1labs.com/)
and 'Directory' (default: autoupdates/).
Once the settings are verified, navigate to 'Check fo Updates', and click
on the 'Get New Updates' button.
Wait while the Auto Update runs. You should see a notification once the
update has been completed.
To verify that the patch has been installed view the /var/log/qradar.log
file and look for a line similar to the following:
Jan 28 10:07:04 qradar AUTOUPDATE[4986]: Required version is 6.4 We are
running 6.3
Jan 28 10:07:04 qradar AUTOUPDATE[4986]: Restarting with version 6.4.
Jan 28 10:08:02 qradar AUTOUPDATE[8694]: Autoupdate 6.4 initialized.
Version 6.4 of the Auto Update is the patched version for this vulnerability.
This will fix all versions of QRadar.
If you would prefer to patch this issue manually rather than through the Auto
Update Process, the fix will be provided for this issue by mid February 2014.
This bulletin will be updated when the fix is available.
WORKAROUNDS:
None
MITIGATION:
Automatic updates can be temporarily be disabled until a fix is available. As
long as the appliance update settings cannot be modified through Cross-Site
Request Forgery ( CVE-2014-0835) or Cross-Site Scripting ( CVE-2014-0836) this
should prevent an exploit from taking effect.
Once a fix is available customers can force an auto-update to address this
issue after manually validating the update server. A manual patch will be also
provided.
If you turn off auto-update, you should continue to monitor this bulletin for
updates to the remediation section to find information about the availability
of the fix.
CVE ID:
CVE-2014-0835
DESCRIPTION: A Cross-Site Request Forgery vulnerability has been discovered
within the IBM QRadar Security Information and Event Management (SIEM)
software. This vulnerability could allow an attacker to change the Auto Update
settings of the QRadar console. The attack does not require local network
access or authentication but specialized knowledge and techniques are
required. An exploit would not impact the availability of the system or the
confidentiality of information, however the integrity of data could be
compromised.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90678 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.2 MR1 and earlier
REMEDIATION:
A fix will be provided for this issue by mid February 2014.
This bulletin will be updated when the fix is available.
WORKAROUNDS:
None
MITIGATION:
Do not visit other webpages with the web browser that you are using to access
QRadar unless you are logged out of the QRadar application.
Verify that all settings are correct and as desired before deploying your
configuration.
CVE ID:
CVE-2014-0836
DESCRIPTION: A Cross Site Scripting vulnerability has been discovered within
the IBM QRadar Security Information and Event Management (SIEM) software. This
vulnerability could allow an attacker to gain access to the administrative
settings of the QRadar console. The attack does not require local network
access or authentication but specialized knowledge and techniques are required.
An exploit would not impact the availability of the system or the
confidentiality of information, however the integrity of data could be
compromised.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90679 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.2 MR1 and earlier
REMEDIATION:
A fix will be provided for this issue by mid February 2014.
This bulletin will be updated when the fix is available.
WORKAROUNDS:
None
MITIGATION:
Do not launch the QRadar application from links you received in an e-mail or
from other untrusted sources.
Verify that all settings are correct and as desired before deploying your
configuration.
CVE ID:
CVE-2014-0837
DESCRIPTION: The AutoUpdate process in the IBM QRadar Security Information and
Event Management (SIEM) software does not verify the validity of the
certificate passed during the initiation of its secure communication. This
could allow an attacker to spoof the AutoUpdate Server with no warning to the
administrator. The attack does not require local network access or
authentication but does require specialized knowledge and techniques. An
exploit would not impact the availability or confidentiality of the system,
however the integrity of data could be compromised.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90680 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM QRadar Security Information and Event Manager (SIEM) 7.2 MR1 and earlier
REMEDIATION:
A fix is anticipated to be available in March 2014.
This bulletin will be updated when the fix is available.
WORKAROUNDS:
None
MITIGATION:
Verify that all settings for the AutoUpdate are set correctly, and manually
ensure that the site set as the update server is valid and trusted by opening
the link in a browser or validating the IP address.
RELATED INFORMATION:
CVE-2014-0838
CVE-2014-0835
CVE-2014-0836
CVE-2014-0837
http://xforce.iss.net/xforce/xfdb/90681
http://xforce.iss.net/xforce/xfdb/90678
http://xforce.iss.net/xforce/xfdb/90679
http://xforce.iss.net/xforce/xfdb/90680
Complete CVSS Guide
X-Force Vulnerability Database
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
CHANGE HISTORY:
29 January 2014 - Remediation updated for CVE-2014-0838
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUurg7BLndAQH1ShLAQLP+BAAs3B/xAsnstt+rUm6VdSAvihMjiy1cwSO
xfT02FHlCER9qGkESzY01vE8vuo5ZX6gkm+juM4kzXyGaHJHc2dv6ROhnTnEVsI8
Ef0PuXx73UK1MD00Jl4ar1e3BqD5tBABiMMP74yrqL1z1fUHt/hLsK2mXNRqJ01p
Nj1Caz3fMk4lOUjI8ZHgMtApMfvXSz5YfqSgJZ6R06j6NrHE8yoDsLUq+dztA/bI
6S3Pp64xMQC+r5ED4sjtr/dm0FbVs3vi5Uc+UboJ4aZqchHW7UWH9y8NzfUCr8wX
Fln4uwjDCanwoaF7VF9ISlksUccwgZpi7fmLStDdgMVuMBsMkD93EFMaYv+CNCXi
u6SXdQQZ2161tmp/mce8EdBvqPvZtyNTIOOIHfrV3iLNZVCDXooff7ocT3Q1XDFX
j8uRH1ByEhC2eY8b3McDX9ZWQem0EzPmdv8p+roq98pdJmYF90oVLp3fTLpSfRv1
JEevn4XZKTjnbgaZG0TfMzUau5BX7OSmp4V/bhaPvxkwU2Ci0wb0igJd8GzO/Dix
3A9w2WSgMM3+qbv3xUc22A/IPPmOG5G5L/VVXzadDafnlrhVedNiPZFHkYI9uS56
90j7ln/w1U4nQvXGDK83KSzGvOvKJtV/4XKwkDYZNX8Ofly8puauK0p6NcMLFThA
OwsG5ZTAdJk=
=p8nK
-----END PGP SIGNATURE-----