Multiple vulnerabilities in IBM QRadar WinCollect Agent



Published: 2023-12-01
Risk Medium
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2022-25883
CVE-2023-1255
CVE-2023-32001
CVE-2023-38039
CVE-2021-39008
CVE-2023-26279
CWE-ID CWE-185
CWE-125
CWE-367
CWE-400
CWE-200
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		IBM QRadar WinCollect Agent
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Incorrect Regular Expression

EUVDB-ID: #VU78932

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25883

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar WinCollect Agent: 10.0 - 10.1.7

External links

http://www.ibm.com/support/pages/node/7081403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU75388

Risk: Low

CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1255

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the AES-XTS cipher decryption implementation for 64 bit ARM platform. An attacker with ability to control the size and location of the ciphertext buffer can trigger an out-of-bounds read and crash the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar WinCollect Agent: 10.0 - 10.1.7

External links

http://www.ibm.com/support/pages/node/7081403


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Time-of-check Time-of-use (TOCTOU) Race Condition

EUVDB-ID: #VU78540

Risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32001

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Exploit availability: No

Description

The vulnerability allows a local users to escalate privileges on the system.

The vulnerability exists due to a race condition when calling fopen() on STS and/or alt-svc data to files. A local user can create or rename directory entries in the directory the victim saves their files and abuse the symbolic link behavior to overwrite arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar WinCollect Agent: 10.0 - 10.1.7

External links

http://www.ibm.com/support/pages/node/7081403


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource exhaustion

EUVDB-ID: #VU80732

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-38039

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not limit the size of received headers from a single request that are stored for future reference. A remote attacker can send overly large HTTP responses to the application and consume all memory resources.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar WinCollect Agent: 10.0 - 10.1.7

External links

http://www.ibm.com/support/pages/node/7081403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU83621

Risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39008

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote privileged user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar WinCollect Agent: 10.0 - 10.1.7

External links

http://www.ibm.com/support/pages/node/7081403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU83622

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-26279

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform unauthorized actions on the system.

The vulnerability exists due to insufficient validation of encoding. A local user can perform unauthorized actions on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar WinCollect Agent: 10.0 - 10.1.7

External links

http://www.ibm.com/support/pages/node/7081403


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###