Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD9B3C9D17946092B90039C11F9C317BC1C8937705E21458197CF7811AB4449B7
HistorySep 06, 2023 - 10:47 p.m.

Security Bulletin: IBM QRadar WinCollect Agent is vulnerable to a local escalation of privilege attack in some configurations (CVE-2023-38736)

2023-09-0622:47:01
www.ibm.com
54
ibm
qradar
wincollect
vulnerability
local escalation
privilege
cve-2023-38736
upgrade
10.1.7

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

Summary

IBM QRadar WinCollect Agent when installed to run as Admin or System, or with Admin or System privileges, is vulnerable to a local escalation of privilege attack that a non-privileged user could utilize to gain System permissions. IBM has addressed the relevant vulnerability.

Vulnerability Details

CVEID:CVE-2023-38736
**DESCRIPTION:**IBM QRadar WinCollect Agent, when installed to run as ADMIN or SYSTEM, is vulnerable to a local escalation of privilege attack that a normal user could utilize to gain SYSTEM permissions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262542 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
QRadar WinCollect Agent 10.0 - 10.1.6

Remediation/Fixes

IBM recommends customers upgrade their systems promptly.

There is a new upgrade for the WinCollect standalone agent. The following WinCollect standalone agent versions can be used to upgrade the affected versions to resolve the vulnerability by applying the mitigation steps below. For information on how to upgrade your WinCollect version, see the WinCollect 10.1.7 release notes:

<https://www.ibm.com/support/pages/node/7028216&gt;

QRadar Version WinCollect Standalone Agent 10.1.7 Versions
7.5

WinCollect Agent MSI (64-bit) - Standalone only

WinCollect Agent MSI (32-bit) - Standalone only

Workarounds and Mitigations

For upgrades to 10.1.7 the following steps are needed for complete remediation. Fresh installs of 10.1.7 or greater are not affected

When using the default path for install location and data, rerun the installer and select the “modify” option, select the options desired and run. This will update the permissions on the default locations.

When using custom paths for install and data locations, ensure the parent directories have file permissions that prevent unwanted modifications to WinCollect data and program files.

A future release of WinCollect will negate the need for post-upgrade remediation steps.

Affected configurations

Vulners
Node
ibmqradar_network_securityMatch10
CPENameOperatorVersion
ibm security qradar siemeq10

Related

prion 1
cve 1
nvd 1
cvelist 1
prion
prion
Privilege escalation
2023-09-08 19:15:00
cve
cve
CVE-2023-38736
2023-09-08 19:15:43
nvd
nvd
CVE-2023-38736
2023-09-08 19:15:43
cvelist
cvelist
CVE-2023-38736 IBM QRadar WinCollect Agent privilege escalation
2023-09-08 18:49:24

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for D9B3C9D17946092B90039C11F9C317BC1C8937705E21458197CF7811AB4449B7
prion1cve1nvd1cvelist1