OMIGOD: IBM QRadar Azure vulnerable via CVE-2021-38647

Posted on 2021-10-04 by guenni

[German]IBM warns that QRadar Azure  warn is vulnerable to remote attacks via the OMIGOD vulnerability CVE-2021-38647. Remote attackers could execute arbitrary code. This would have a similar impact to the supply chain attack on Kaseya VSA, a remote management and monitoring (RMM) software.

Advertising

What is IBM QRadar Azure?

The Microsoft Azure Platform DSM collects events that occur at the platform level, such as the creation, modification or deletion of resources. IBM® QRadar® DSM (Desktop and Server Management) is also available as a SIEM system for Microsoft Azure. IBM QRadar DSM for Microsoft Azure analyzes events from the Microsoft Azure Activity Log.  

Vulnerable via OMIGOD vulnerability CVE-2021-38647

Security experts warn in the following tweet that the Open Management Infrastructure RPM package in IBM QRadar Azure Marketplace images is affected by the vulnerability CVE-2021-38647.

IBM QRadar Azure CVE-2021-38647

This is a remote code execution vulnerability rated at CVE value 9.8, which is also part of the Azure OMIGOD vulnerabilities recently discussed here on the blog. In the case of IBM QRadar Azure, a remote attacker can exploit the vulnerability to execute arbitrary code on vulnerable installations, according to this article or this IBM Security Bulletin

The vulnerability can be triggered by running a specially crafted program on vulnerable systems and affects the following versions:

Advertising
  • IBM QRadar Versionen 7.3.0 bis 7.3.3 Patch 9
  • IBM QRadar Versionen 7.4.0 bis 7.4.3 Patch 2

An unauthenticated attacker can remotely exploit the vulnerability by sending a specially crafted message over HTTPS to the port listening for Open Management Infrastructure (OMI) on a vulnerable system. On most Linux distributions, the command:

netstat -an | grep <Port-Nummer>

indicates whether processes are listening for <port number>. Microsoft fixed the vulnerability with the release of security updates on Patch Tuesday in September 2021 (see Patch Microsoft Azure vulnerabilities OMIGOD in Linux VMs).

Similar article:
Patch Microsoft Azure vulnerabilities OMIGOD in Linux VMs
REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang
Follow-up to the Kaseya supply chain attack
Kaseya received universal decryption tool after ransomware attack
Kaseya allegedly demands NDA against decryption tool
Kaseya: Decryption key revealed, backup update closes vulnerabilities

Advertising
This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).