SB2024040247 - Multiple vulnerabilities in IBM QRadar SIEM 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024040247

SB2024040247 - Multiple vulnerabilities in IBM QRadar SIEM

Published: April 2, 2024 Updated: November 15, 2024

Security Bulletin ID SB2024040247
Severity
High
Patch available
YES
Number of vulnerabilities 41
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 63% Low 27%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 41 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-4091)

The vulnerability allows a remote user to truncate read-only files.

The vulnerability exists due to an error in the way SMB protocol implementation in Samba handles file operations. A remote user can request read-only access to files and then truncate them to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes".


2) Type Confusion (CVE-ID: CVE-2023-0286)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion error related to X.400 address processing inside an X.509 GeneralName. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and perform a denial of service (DoS) attack or read memory contents.

In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.


3) XML External Entity injection (CVE-ID: CVE-2022-48565)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input within the plistlib module. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.


4) Resource exhaustion (CVE-ID: CVE-2022-48564)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability occurs when processing malformed Apple Property List files in binary format. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Out-of-bounds write (CVE-ID: CVE-2023-42753)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the netfilter subsystem in Linux kernel. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.


6) Use-after-free (CVE-ID: CVE-2023-4813)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the gaih_inet() function when the getaddrinfo() function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.



7) Resource management error (CVE-ID: CVE-2023-5678)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within DH_generate_key() and DH_check_pub_key() functions. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2022-36760)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests in mod_proxy_ajp. A remote attacker can send a specially crafted HTTP request to the web server and smuggle arbitrary HTTP headers to the AJP server it forwards requests to.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


9) Improper Authorization (CVE-ID: CVE-2023-3961)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when handling client pipe names. A remote attacker can provide a specially crafted pipe name containing directory traversal characters and force Samba to connect to Unix domain sockets outside of the private directory meant to restrict the services a client could connect to.The connection to Unix domain sockets is performed as root, which means that if client sends a pipe name that resolved to an external service using an existing Unix domain socket, the client is able to connect to it without any filesystem restrictions.


10) Resource management error (CVE-ID: CVE-2023-42669)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to inclusion of the "rpcecho" server into production build, which can call sleep() on AD DC. A remote user can request the server block using the "rpcecho" server and perform a denial of service (DoS) attack.


11) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2022-4304)

The vulnerability allows a remote attacker to obtain sensitive information.

The vulnerability exists due to a timing based side channel exists in the OpenSSL RSA Decryption implementation. A remote attacker can perform a Bleichenbacher style attack and decrypt data sent over the network.

To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.


12) Out-of-bounds read (CVE-ID: CVE-2022-2127)

The vulnerability allows a remote attacker to gain access to sensitive information or perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in winbindd_pam_auth_crap.c in winbind AUTH_CRAP when performing NTLM authentication. A remote attacker can trigger an out-of-bounds read error and gain access to sensitive information or crash the server.


13) Infinite loop (CVE-ID: CVE-2023-34966)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing Spotlight mdssvc RPC packets. A remote attacker can consume all available system resources and cause denial of service conditions on servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes".


14) Type Confusion (CVE-ID: CVE-2023-34967)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion error when parsing Spotlight mdssvc RPC packets. A remote attacker can send specially crafted data to the server, trigger a type confusion error and crash the server.


15) Information disclosure (CVE-ID: CVE-2023-34968)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can send a specially crafted RPC request to the server and obtain real server-side share path.


16) Raccoon attack (CVE-ID: CVE-2020-1968)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a timing flaw in the TLS specification. A remote attacker can compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite and eavesdrop on all encrypted communications sent over that TLS connection.

Note: The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections.


17) Cryptographic issues (CVE-ID: CVE-2019-1551)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an overflow issue within the rsaz_512_sqr(): the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. A remote attacker can perform an attack against DH512 keys.


18) Cryptographic issues (CVE-ID: CVE-2019-1547)

The vulnerability allows a remote attacker to decrypt traffic.

The vulnerability exists due to insufficient enforcement of side channel resistant code paths. A remote attacker with ability to create a large number of signatures, where explicit parameters with no co-factor is present, can force the application to fall back to non-side channel resistant code pathsduring ECDSA signature operation and perform full key recovery.

Successful exploitation of the vulnerability may allow an attacker to decrypt communication between server and client.


19) Padding oracle attack (CVE-ID: CVE-2019-1563)

The vulnerability allows a remote attacker to perform padding oracle attack.

The vulnerability exists due to possibility to perform a Bleichenbacher padding oracle attack against the RSA key, in situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker. A remote attacker can send a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key.


20) Use-after-free (CVE-ID: CVE-2023-0215)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the BIO_new_NDEF function. A remote attacker can trigger a use-after-free error and perform a denial of service (DoS) attack.



21) Resource management error (CVE-ID: CVE-2023-3817)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when checking the long DH keys. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


22) Resource exhaustion (CVE-ID: CVE-2023-42503)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing .tar archives. A remote attacker can pass a specially crafted archive to the application and consume excessive CPU usage.


23) Integer overflow (CVE-ID: CVE-2020-36242)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing certain sequences of update calls to symmetrically encrypt multi-GB values. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


24) Improper access control (CVE-ID: CVE-2018-17196)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper security restrictions imposed by the affected software. A remote authenticated attacker with write permission on respective topics can send a crafted Produce request that is designed to bypass transaction/idempotent access control list (ACL) validation.


25) State Issues (CVE-ID: CVE-2023-6129)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in POLY1305 MAC (message authentication code) implementation on PowerPC CPU based platforms if the CPU provides vector instructions. A remote attacker can perform a denial of service (DoS) attack.


26) Use-after-free (CVE-ID: CVE-2023-4806)

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the getaddrinfo() function. A remote attacker can perform a denial of service (DoS) attack.



27) Cross-site scripting (CVE-ID: CVE-2021-43818)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the HTML Cleaner in lxml.html. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


28) Covert Timing Channel (CVE-ID: CVE-2020-25659)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.


29) Cross-site scripting (CVE-ID: CVE-2020-27783)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within lxml Python clean module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


30) Cross-site scripting (CVE-ID: CVE-2021-28957)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


31) Error Handling (CVE-ID: CVE-2023-23931)

The vulnerability allows an attacker to misuse Python API.

The vulnerability exists due to a soundness bug within the Cipher.update_into function, which can allow immutable objects (such as bytes) to be mutated. A malicious programmer can misuse Python API to introduce unexpected behavior into the application.


32) Exposed dangerous method or function (CVE-ID: CVE-2020-10683)

The vulnerability allows a remote attacker to abuse implemented functionality.

The vulnerability exists due to dom4j allows by default external DTDs and External Entities. A remote attacker can abuse this functionality and perform XXE attack against application that uses dom4j default configuration.


33) Type conversion (CVE-ID: CVE-2020-10735)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion in algorithms with quadratic time complexity when using non-binary bases within the int() call. A remote attacker can pass specially crafted data to the affected application and perform a denial of service (DoS) attack.


34) XXE attack (CVE-ID: CVE-2018-1000632)

The vulnerability allows a remote attacker to conduct XXE attack on the target system.

The vulnerability exists due to improper sanitization of elements and attribute names in XML documents. A remote attacker can trick the victim into opening a specially crafted XML document that submits malicious input, perform XXE attack and bypass security restrictions to access and modify sensitive information on the system.


35) Out-of-bounds read (CVE-ID: CVE-2023-7104)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the sessionReadRecord() function in ext/session/sqlite3session.c when processing a corrupt changeset. A remote user can send a specially crafted request to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service attack.


36) Resource management error (CVE-ID: CVE-2022-40304)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in entities.c due to the way libxml2 handles reference cycles. The library does not anticipate that entity content can be allocated from a dict and clears it upon reference cycle detection by setting its first byte to zero. This can lead to memory corruption  issues, such as double free errors and result in a denial of service.


37) Integer overflow (CVE-ID: CVE-2022-40303)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in parse.c when processing content when XML_PARSE_HUGE is set. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


38) Resource management error (CVE-ID: CVE-2023-3446)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the DH_check(), DH_check_ex() and EVP_PKEY_param_check() function when processing a DH key or DH parameters. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


39) Input validation error (CVE-ID: CVE-2023-27043)

The vulnerability allows a remote attacker to bypass filtration.

The vulnerability exists due to insufficient validation of user-supplied input when parsing email address with a special character. A remote attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain.


40) Deserialization of Untrusted Data (CVE-ID: CVE-2022-25647)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.


41) Incorrect Regular Expression (CVE-ID: CVE-2020-28493)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect subpattern applied to untrusted input. A remote attacker can pass specially crafted data to the application and perform a regular expression DoS (ReDOS) attack.


Remediation

Install update from vendor's website.

References