Delaware, USA – May 31, 2018 – Independent researcher Pedro Ribeiro found and described the exploit chain in the Incident Forensics built-in application of IBM QRadar which enables an unauthenticated user to execute commands in SIEM remotely. The chain consists of three vulnerabilities, which are assigned to single CVE-2018-1418. Each vulnerability is not too serious, but exploiting of all of them one by one can jeopardize the SIEM installation and the security of the whole company. IBM QRadar Incident Forensics performs forensic analysis of specific files, this app is disabled in the Community Edition, but parts of the code required to exploit the vulnerabilities are present. The exploit chain compromises PHP and Java components of the application. The first vulnerability allows bypassing the authentication in the ForensicAnalysisServlet and invoking functions in the Java part of the app. The exploitation of the next vulnerability allows injecting commands in a PHP web application. The third vulnerability escalates the privileges from the “nobody” user to root.
The researcher reported this exploit chain to the vendor, and IBM has already released updates for IBM QRadar: http://www-01.ibm.com/support/docview.wss?uid=swg22015797
It is strongly recommended to update your SIEM as soon as possible. You can read the tips for updating IBM QRadar in the article: https://socprime.com/blog/updating-ibm-qradar/
You can also use VPN Security Monitor to track unauthorized access attempts.