CVE-2019-4545
📋 TL;DR
IBM QRadar SIEM versions 7.3 and 7.4 configured with Active Directory authentication are vulnerable to spoofing attacks. This allows attackers to impersonate legitimate users and potentially gain unauthorized access to the SIEM system. Organizations using these QRadar versions with AD authentication are affected.
💻 Affected Systems
- IBM QRadar SIEM
📦 What is this software?
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to QRadar SIEM, allowing them to manipulate security alerts, delete logs, disable monitoring, and potentially pivot to other systems in the network.
Likely Case
Attackers gain standard user access to QRadar, allowing them to view sensitive security data, modify alerts, and potentially escalate privileges within the system.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the QRadar system itself with no lateral movement to other critical systems.
🎯 Exploit Status
Exploitation requires network access to the QRadar system and knowledge of AD authentication configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.3.3 Patch 6 or 7.4.3 Patch 6
Vendor Advisory: https://www.ibm.com/support/pages/node/6344077
Restart Required: Yes
Instructions:
1. Download the appropriate patch from IBM Fix Central. 2. Apply patch using QRadar console. 3. Restart QRadar services. 4. Verify patch installation in Admin tab.
🔧 Temporary Workarounds
Switch to Local Authentication
linuxTemporarily disable Active Directory authentication and use local QRadar authentication only
Network Segmentation
allRestrict network access to QRadar management interfaces to trusted IP ranges only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach QRadar authentication endpoints
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check QRadar version in Admin tab and verify if AD authentication is enabled in authentication settingsCheck Version:
ssh admin@qradar-host 'cat /opt/qradar/VERSION'Verify Fix Applied:
Verify patch installation in Admin > System and License Management > Installed Updates📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same source
- Successful logins from unusual IP addresses or outside business hours
- Authentication events showing spoofed user accounts
Network Indicators:
- Unusual authentication traffic patterns to QRadar LDAP/Kerberos ports
- Authentication requests from unexpected network segments
SIEM Query:
SELECT * FROM events WHERE devicetype=28 AND (eventname LIKE '%authentication%' OR eventname LIKE '%login%') AND severity >= 5