CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%
IBM QRadar WinCollect Agent when installed to run as Admin or System, or with Admin or System privileges, is vulnerable to a local escalation of privilege attack that a non-privileged user could utilize to gain System permissions. IBM has addressed the relevant vulnerability.
CVEID:CVE-2023-38736
**DESCRIPTION:**IBM QRadar WinCollect Agent, when installed to run as ADMIN or SYSTEM, is vulnerable to a local escalation of privilege attack that a normal user could utilize to gain SYSTEM permissions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262542 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
QRadar WinCollect Agent | 10.0 - 10.1.6 |
IBM recommends customers upgrade their systems promptly.
There is a new upgrade for the WinCollect standalone agent. The following WinCollect standalone agent versions can be used to upgrade the affected versions to resolve the vulnerability by applying the mitigation steps below. For information on how to upgrade your WinCollect version, see the WinCollect 10.1.7 release notes:
<https://www.ibm.com/support/pages/node/7028216>
QRadar Version | WinCollect Standalone Agent 10.1.7 Versions |
---|---|
7.5 |
WinCollect Agent MSI (64-bit) - Standalone only
WinCollect Agent MSI (32-bit) - Standalone only
For upgrades to 10.1.7 the following steps are needed for complete remediation. Fresh installs of 10.1.7 or greater are not affected
When using the default path for install location and data, rerun the installer and select the “modify” option, select the options desired and run. This will update the permissions on the default locations.
When using custom paths for install and data locations, ensure the parent directories have file permissions that prevent unwanted modifications to WinCollect data and program files.
A future release of WinCollect will negate the need for post-upgrade remediation steps.
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | qradar_network_security | 10 | cpe:2.3:a:ibm:qradar_network_security:10:*:*:*:*:*:*:* |
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%