SB2024101815 - Multiple vulnerabilities in QRadar Incident Forensics

Description

This security bulletin contains information about 30 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2021-42771)

The vulnerability allows a remote attacker to user compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences within the locale .dat files in Babel.Locale. A remote user can load a malicious .dat file containing serialized Python objects and execute arbitrary code on the system.

2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-28752)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in Aegis DataBinding. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

3) Buffer overflow (CVE-ID: CVE-2020-26154)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header.

4) Out-of-bounds write (CVE-ID: CVE-2020-25219)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.

5) NULL pointer dereference (CVE-ID: CVE-2023-2953)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the ber_memalloc_x() function. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.

6) Integer overflow (CVE-ID: CVE-2022-48468)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow within parse_required_member() function. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Reliance on undefined behavior (CVE-ID: CVE-2023-20592)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to unexpected behavior of the INVD instruction in some AMD CPUs. A malicious hypervisor can affect cache line write-back behavior of the CPU and modify guest virtual machine (VM) memory.

8) Protection Mechanism Failure (CVE-ID: CVE-2022-46329)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A local user can bypass implemented security restrictions and elevate privileges on the system.

9) Cross-site scripting (CVE-ID: CVE-2024-22195)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the xmlattr filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

10) Integer overflow (CVE-ID: CVE-2023-37536)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow. A remote attacker can pass specially crafted data to the application, trigger integer overflow and perform a denial of service (DoS) attack.

11) Use-after-free (CVE-ID: CVE-2018-1311)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when scanning an external DTS file. A remote attacker can supply a specially crafted DTS file, trigger a use-after-free error and execute arbitrary code on the target system.

12) Input validation error (CVE-ID: CVE-2023-23934)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of "nameless" cookies. A remote attacker can manipulate cookie values for an arbitrary domain.

13) Resource exhaustion (CVE-ID: CVE-2023-25577)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing multipart form data with many fields. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

14) Inefficient Algorithmic Complexity (CVE-ID: CVE-2023-46136)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to high resource usage when parsing multipart/form-data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

15) Improper access control (CVE-ID: CVE-2024-23944)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in persistent watchers. A remote user can bypass implemented security restrictions and obtain user names or login identifiers.

16) Improper Initialization (CVE-ID: CVE-2023-31346)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper initialization in SEV Firmware. A local user can run a specially crafted application to access stale data from other guests.

17) Information disclosure (CVE-ID: CVE-2023-32681)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.

18) Out-of-bounds read (CVE-ID: CVE-2024-37371)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when handling GSS message token. A remote attacker can send specially crafted token to the application, trigger an out-of-bounds read error and read contents of memory on the system.

19) Input validation error (CVE-ID: CVE-2024-37370)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

20) Buffer overflow (CVE-ID: CVE-2021-45429)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the yr_set_configuration() function in yara/libyara/libyara.c. A remote attacker can trick the victim into loading a specially crafted file and crash the application.

21) CRLF injection (CVE-ID: CVE-2020-26137)

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

22) Resource exhaustion (CVE-ID: CVE-2020-7212)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an inefficient algorithm in the "_encode_invalid_chars" function in "util/url.py". A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

23) Information disclosure (CVE-ID: CVE-2023-45803)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to urllib3 does not remove the HTTP request body when redirecting HTTP response using status codes 301, 302, or 303, after the request had its method changed from one that could accept a request body (e.g. from POST to GET). A remote attacker can gain access to potentially sensitive information.

24) Information disclosure (CVE-ID: CVE-2023-43804)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to urllib does not strip the "Cookie" HTTP header during cross-origin HTTP redirects. A remote attacker can gain unauthorized access to sensitive information.

25) Integer overflow (CVE-ID: CVE-2024-5197)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the vpx_img_alloc() and vpx_img_wrap() functions. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

26) Heap-based buffer overflow (CVE-ID: CVE-2023-6349)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

27) Integer overflow (CVE-ID: CVE-2022-38725)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in the RFC3164 parser. A remote attacker can send specially crafted data to the service, trigger an integer overflow and perform a denial of service (DoS) attack.

28) Information disclosure (CVE-ID: CVE-2023-30861)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing Vary: Cookie header. A remote attacker can gain unauthorized access to sensitive information on the system.

29) Cleartext transmission of sensitive information (CVE-ID: CVE-2024-28786)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

30) Information disclosure (CVE-ID: CVE-2024-37891)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Prox-Authorization header is not stripped during cross-origin redirects when using urllib3's proxy support with ProxyManager. A remote attacker can gain obtain proxy credentials used by the library.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7173420