SB2024021632 - Multiple vulnerabilities in IBM QRadar WinCollect Agent

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024021632

SB2024021632 - Multiple vulnerabilities in IBM QRadar WinCollect Agent

Published: February 16, 2024 Updated: February 21, 2025

Security Bulletin ID SB2024021632
Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 40% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) External control of file name or path (CVE-ID: CVE-2023-38546)

The vulnerability allows an attacker to inject arbitrary cookies into request.

The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl.

2) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).


3) Incorrect Comparison (CVE-ID: CVE-2023-45133)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists in '@babel/traverse' and `babel-traverse`. A local user can execute arbitrary code during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.


4) Resource management error (CVE-ID: CVE-2023-5678)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within DH_generate_key() and DH_check_pub_key() functions. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


5) Information disclosure (CVE-ID: CVE-2023-46218)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in curl that allows a malicious HTTP server to set "super cookies" that are then passed back to more origins than what is otherwise allowed or possible. A remote attacker can force curl to send such cookie to different and unrelated sites and domains.


6) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-46219)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when handling HSTS long file names. When saving HSTS data to an excessively long file name, curl can end up removing all contents from the file, making subsequent requests using that file unaware of the HSTS status they should otherwise use. As a result, a remote attacker can perform MitM attack.


7) Input validation error (CVE-ID: CVE-2023-4807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the POLY1305 MAC (message authentication code) implementation. A remote attacker can send specially crafted input to the application and corrupt MM registers on Windows 64 platform, resulting in a denial of service condition.


8) NULL pointer dereference (CVE-ID: CVE-2024-0727)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing fields in the PKCS12 certificate. A remote attacker can pass specially crafted certificate to the server and perform a denial of service (DoS) attack.


9) State Issues (CVE-ID: CVE-2023-6129)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in POLY1305 MAC (message authentication code) implementation on PowerPC CPU based platforms if the CPU provides vector instructions. A remote attacker can perform a denial of service (DoS) attack.


10) Cryptographic issues (CVE-ID: CVE-2023-5363)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error when processing key and initialisation vector lengths in EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() function. A remote attacker can gain access to potentially sensitive information.

The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.


Remediation

Install update from vendor's website.

References