Deserialization vulnerability in SIEM product could lead to complete system compromise

QRadar: Popular IBM security tool open to remote code execution attacks

A Java deserialization bug in QRadar, IBM’s enterprise security information and event management (SIEM) platform, allowed hackers to conduct various attacks, including remote code execution.

The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.

Java client applications convert objects into streams of bytes – or ‘serialize’ them – and send them to servers, which deserialize them into their original structure before processing.

If deserialization is not handled properly, hackers can exploit the process to send malicious data to Java application servers.

Read more of the latest security vulnerability news

Securify’s Yorick Koster, who reported the bug to IBM, found it in the JSON-RPC implementation of QRadar’s RemoteJavaScript Servlet.

According to Koster’s findings, some of the methods in the RemoteJavaScript Servlet use the org.apache.commons.lang3.SerializationUtils class, which does not perform any checks when deserializing passed objects.

“No checks have been implemented to prevent deserialization of arbitrary objects.

“Consequently, an authenticated user can call one of the affected methods and cause the RemoteJavaScript Servlet to deserialize arbitrary objects,” Koster writes, adding that an attacker could exploit this vulnerability by sending a specially crafted object and conduct “denial of service, change of system settings, or execution of arbitrary code”.

Access required

While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions.

“A valid account is needed to trigger the vulnerability. But the account doesn’t require any special permissions. Any account would work,” Koster told The Daily Swig.

Koster published a proof of concept that shows the vulnerability in action, used to conduct an RCE attack.

“The code will run as the ‘nobody’ user. You could chain it with a local privilege escalation vulnerability to completely compromise the system,” Koster said.

“Running arbitrary code as ‘nobody’ allows you to pretty much do everything the QRadar application can do, like gaining access to alert data, which could be sensitive.”

Fast patch

Koster found and reported the deserialization vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.

The RemoteJavaScript Servlet was fixed in the latest version of QRadar CE, released in October.

“This particular issue was the last remaining open issue. I guess it was harder to fix as it affects their entire JSON-RPC API,” he said.

“I was surprised that I could find quite a number of issues in a relatively short amount of time within a security product. It’s sad to see that even the security industry fails at creating secure applications.”

YOU MAY ALSO LIKE Researchers discover scores of security bugs in Apple’s stem and core