[German]IBM warns that QRadar Azure warn is vulnerable to remote attacks via the OMIGOD vulnerability CVE-2021-38647. Remote attackers could execute arbitrary code. This would have a similar impact to the supply chain attack on Kaseya VSA, a remote management and monitoring (RMM) software.
What is IBM QRadar Azure?
The Microsoft Azure Platform DSM collects events that occur at the platform level, such as the creation, modification or deletion of resources. IBM® QRadar® DSM (Desktop and Server Management) is also available as a SIEM system for Microsoft Azure. IBM QRadar DSM for Microsoft Azure analyzes events from the Microsoft Azure Activity Log.
Vulnerable via OMIGOD vulnerability CVE-2021-38647
Security experts warn in the following tweet that the Open Management Infrastructure RPM package in IBM QRadar Azure Marketplace images is affected by the vulnerability CVE-2021-38647.
This is a remote code execution vulnerability rated at CVE value 9.8, which is also part of the Azure OMIGOD vulnerabilities recently discussed here on the blog. In the case of IBM QRadar Azure, a remote attacker can exploit the vulnerability to execute arbitrary code on vulnerable installations, according to this article or this IBM Security Bulletin.
The vulnerability can be triggered by running a specially crafted program on vulnerable systems and affects the following versions:
- IBM QRadar Versionen 7.3.0 bis 7.3.3 Patch 9
- IBM QRadar Versionen 7.4.0 bis 7.4.3 Patch 2
An unauthenticated attacker can remotely exploit the vulnerability by sending a specially crafted message over HTTPS to the port listening for Open Management Infrastructure (OMI) on a vulnerable system. On most Linux distributions, the command:
netstat -an | grep <Port-Nummer>
indicates whether processes are listening for <port number>. Microsoft fixed the vulnerability with the release of security updates on Patch Tuesday in September 2021 (see Patch Microsoft Azure vulnerabilities OMIGOD in Linux VMs).
Patch Microsoft Azure vulnerabilities OMIGOD in Linux VMs
REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang
Follow-up to the Kaseya supply chain attack
Kaseya received universal decryption tool after ransomware attack
Kaseya allegedly demands NDA against decryption tool
Kaseya: Decryption key revealed, backup update closes vulnerabilities
Cookies helps to fund this blog: Cookie settings