Deserialization vulnerability in SIEM product could lead to complete system compromise
The bug, found by a security researcher at Netherlands-based start-up Securify, could be triggered by passing objects containing malicious code to a Servlet component of QRadar Community Edition.
Java client applications convert objects into streams of bytes – or ‘serialize’ them – and send them to servers, which deserialize them into their original structure before processing.
If deserialization is not handled properly, hackers can exploit the process to send malicious data to Java application servers.
“No checks have been implemented to prevent deserialization of arbitrary objects.
While the vulnerability was dangerous, exploiting it required an attacker to have access to a valid user account in the QRadar installation because the Servlet was only accessible to authenticated user sessions.
“A valid account is needed to trigger the vulnerability. But the account doesn’t require any special permissions. Any account would work,” Koster told The Daily Swig.
Koster published a proof of concept that shows the vulnerability in action, used to conduct an RCE attack.
“The code will run as the ‘nobody’ user. You could chain it with a local privilege escalation vulnerability to completely compromise the system,” Koster said.
“Running arbitrary code as ‘nobody’ allows you to pretty much do everything the QRadar application can do, like gaining access to alert data, which could be sensitive.”
Koster found and reported the deserialization vulnerability along with nine other bugs in January while actively researching QRadar CE. Most were fixed in April.
“This particular issue was the last remaining open issue. I guess it was harder to fix as it affects their entire JSON-RPC API,” he said.
“I was surprised that I could find quite a number of issues in a relatively short amount of time within a security product. It’s sad to see that even the security industry fails at creating secure applications.”
YOU MAY ALSO LIKE Researchers discover scores of security bugs in Apple’s stem and core