Vigil@nce - IBM QRadar SIEM: privilege escalation via session steal
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can make profit of the lack of session expiration in
IBM QRadar SIEM, in order to escalate his privileges.
Impacted products: QRadar SIEM.
Severity: 1/4.
Creation date: 16/02/2016.
DESCRIPTION OF THE VULNERABILITY
The IBM QRadar SIEM product offers a web interface.
Since HTTP does not provide application level sessions,
application programs must define an inactivity timeout, the
expiration of which triggers the deletion of all contexts, notably
the authentication results used for access control purposes.
However, by default, QRadar does not use such a timeout. So an
attacker can use the QRadar users’s browser to get the same access
rights than him.
An attacker can therefore make profit of the lack of session
expiration in IBM QRadar SIEM, in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/IBM-QRadar-SIEM-privilege-escalation-via-session-steal-18948