IBM QRadar Remote Code Execution Vulnerability (CVE-2020-4888) Detection

On January 27, 2021, IBM released an official patch for a serious remote code execution vulnerability affecting its QRadar SIEM.

CVE-2020-4888 Description

The security hole occurs because the Java deserialization function fails to deserialize a user-supplied input securely. As a result, remote low-privileged hackers can execute arbitrary commands on the affected system by sending a maliciously-modified serialized Java object. 

The vulnerability received a CVSSv3 base score of 6.3, making it a medium-severity issue. Nevertheless, the flaw has a low attack complexity, making it a noticeable bug that requires immediate patching. Since the proof-of-concept (PoC) exploit has been already made public, security experts expect exploitation in the wild attempts soon.

CVE-2020-4888 Detection and Mitigation

According to IBM advisory, the vulnerability affects IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 7 versions. Users are urged to install the latest IBM QRadar SIEM version as soon as possible to stay safe. 

One of the most active Threat Bounty developers, Osman Demir, has already released a community Sigma rule able to detect exploitation attempts for CVE-2020-4888. Download the rule from Threat Detection Marketplace to proactively defend from possible cyber-attacks:

https://tdm.socprime.com/tdm/info/oFg7JXQblNHt/Qhof03cBR-lx4sDx5gzv/#rule-context

The rule has translations to the following platforms: 

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, FireEye Helix

EDR: Carbon Black, Sentinel One

MITRE ATT&CK:

Tactics: Initial Access

Techniques: Exploit Public-Facing Application (T1190)

Subscribe to Threat Detection Marketplace for free and reduce the meantime of cyber-attack detection with a 96,000+ SOC content library that aggregates rules, parsers, and search queries, Sigma and YARA-L rules easily convertible to various formats. Want to enrich the content base and create your own detection content? Join our Threat Bounty Program for a safer future!