Security Bulletin: IBM QRadar SIEM can be affected by a command injection vulnerability (CVE-2013-2970)

Abstract

A vulnerability has been discovered within the IBM QRadar Security Information and Event Manager (SIEM) software that allows an authenticated user to execute limited operating system commands on the QRadar device and gain limited remote shell access.

Content

VULNERABILITY DETAILS:

DESCRIPTION:

CVE-2013-2970
A command injection vulnerability has been discovered within the IBM QRadar SIEM software that allows an authenticated user to execute operating system commands as a limited access user on the QRadar device. This access could be used to gain remote shell access as that webservices user. Even though authenticated users of the QRadar SIEM do not necessarily have shell access, action should be taken to ensure this issue is patched as soon as possible.

The attack can be conducted over the internet. Some degree of specialized knowledge and techniques are required to conduct this attack. Multiple authentication attempts are required for this attack. An exploit may have a limited impact on the confidentiality of information and the integrity of data and could reduce performance / cause interruptions to availability.

CVEID:
CVE-2013-2970

CVSS Base Score: 6.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83872&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:
IBM QRadar Security Information and Event Manager (SIEM) 7.0
IBM QRadar Security Information and Event Manager (SIEM) 7.1

REMEDIATION:

The vulnerability is fixed in the following version of QRadar SIEM:

• For QRadar SIEM 7.1 - install QRadar SIEM 7.1 MR2 Patch 1
• For QRadar SIEM 7.0 - Install Interim Fix 7.0.0-QRadar-QRSCRIPT-CVE-2013-2970.sh

Workaround(s):
None

Mitigation(s):
None

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2_ _
· CVE-2013-2970
· https://exchange.xforce.ibmcloud.com/vulnerabilities/83872
· IBM Security Alerts
· QRadar SIEM 7.1MR2 Patch 1
· Interim Fix 7.0.0-QRadar-QRSCRIPT-CVE-2013-2970.sh

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
This vulnerability was reported to IBM by Stephen Hosom

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSBQAC”,“label”:“IBM Security QRadar SIEM”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“7.1;7.0”,“Edition”:“”,“Line of Business”:{“code”:“LOB24”,“label”:“Security Software”}}]