On January 27, 2021, IBM released an official patch for a serious remote code execution vulnerability affecting its QRadar SIEM.
The security hole occurs because the Java deserialization function fails to deserialize a user-supplied input securely. As a result, remote low-privileged hackers can execute arbitrary commands on the affected system by sending a maliciously-modified serialized Java object.
The vulnerability received a CVSSv3 base score of 6.3, making it a medium-severity issue. Nevertheless, the flaw has a low attack complexity, making it a noticeable bug that requires immediate patching. Since the proof-of-concept (PoC) exploit has been already made public, security experts expect exploitation in the wild attempts soon.
CVE-2020-4888 Detection and Mitigation
According to IBM advisory, the vulnerability affects IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 7 versions. Users are urged to install the latest IBM QRadar SIEM version as soon as possible to stay safe.
One of the most active Threat Bounty developers, Osman Demir, has already released a community Sigma rule able to detect exploitation attempts for CVE-2020-4888. Download the rule from Threat Detection Marketplace to proactively defend from possible cyber-attacks:
The rule has translations to the following platforms:
SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, FireEye Helix
EDR: Carbon Black, Sentinel One
Tactics: Initial Access
Techniques: Exploit Public-Facing Application (T1190)
Subscribe to Threat Detection Marketplace for free and reduce the meantime of cyber-attack detection with a 96,000+ SOC content library that aggregates rules, parsers, and search queries, Sigma and YARA-L rules easily convertible to various formats. Want to enrich the content base and create your own detection content? Join our Threat Bounty Program for a safer future!