CVE-2023-33860
📋 TL;DR
IBM Security QRadar EDR 3.12 fails to set the 'secure' attribute on authorization tokens and session cookies, allowing attackers to potentially steal these cookies via HTTP links. This affects all users of QRadar EDR 3.12 who access the system through insecure channels. Attackers could hijack sessions or gain unauthorized access by intercepting unencrypted cookie transmission.
💻 Affected Systems
- IBM Security QRadar EDR
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to QRadar EDR, allowing them to disable security controls, exfiltrate sensitive endpoint data, or deploy malicious payloads to managed endpoints.
Likely Case
Session hijacking leading to unauthorized access to endpoint data, security event manipulation, or privilege escalation within the EDR console.
If Mitigated
Limited impact if HTTPS is strictly enforced and users only access via secure channels, though the vulnerability still exists in the code.
🎯 Exploit Status
Exploitation requires tricking authenticated users into clicking HTTP links or visiting attacker-controlled sites while authenticated to QRadar EDR.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade to version 3.12.1 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7159770
Restart Required: Yes
Instructions:
1. Download the interim fix from IBM Fix Central. 2. Apply the fix following IBM's installation instructions. 3. Restart QRadar EDR services. 4. Verify the fix by checking that cookies now have the 'secure' attribute.
🔧 Temporary Workarounds
Enforce HTTPS Only
allConfigure web server to redirect all HTTP traffic to HTTPS and disable HTTP access entirely
# Configure in web server settings (Apache/Nginx/IIS) to force HTTPS
Network Segmentation
allRestrict access to QRadar EDR console to internal networks only
# Configure firewall rules to block external access to QRadar EDR ports
🧯 If You Can't Patch
- Implement strict network controls to prevent users from accessing QRadar EDR via HTTP
- Deploy web application firewall rules to detect and block cookie theft attempts
🔍 How to Verify
Check if Vulnerable:
Inspect browser developer tools while logged into QRadar EDR - check if session cookies lack the 'secure' flag when accessed via HTTPCheck Version:
# On QRadar EDR server: cat /opt/qradar/version.txtVerify Fix Applied:
After patching, verify that all session cookies and authorization tokens have the 'secure' attribute set and are only transmitted over HTTPS📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from unusual IP
- User sessions accessing both HTTP and HTTPS endpoints
Network Indicators:
- Unencrypted HTTP traffic containing session cookies to QRadar EDR endpoints
- Traffic patterns showing cookie values being sent to external IPs
SIEM Query:
sourceIP='QRadar_EDR_IP' AND (protocol='HTTP' AND url CONTAINS '/api/' OR url CONTAINS '/console/') AND (userAgent CONTAINS 'Mozilla' OR userAgent CONTAINS 'Chrome')