CVE-2023-38019
📋 TL;DR
This directory traversal vulnerability in IBM SOAR QRadar Plugin App allows remote attackers to read arbitrary files on the system by sending specially crafted URL requests containing directory traversal sequences. Affected organizations are those running IBM SOAR QRadar Plugin App versions 1.0 through 5.0.3.
💻 Affected Systems
- IBM SOAR QRadar Plugin App
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via reading sensitive files like configuration files, credentials, SSH keys, or other authentication tokens, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive configuration files, logs, or other system files containing operational data or limited credentials.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring in place, potentially only exposing non-sensitive files.
🎯 Exploit Status
Directory traversal vulnerabilities are commonly exploited and require minimal technical skill. The vulnerability is unauthenticated, making it particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.4 and later
Vendor Advisory: https://www.ibm.com/support/pages/node/7111679
Restart Required: Yes
Instructions:
1. Download IBM SOAR QRadar Plugin App version 5.0.4 or later from IBM Fix Central. 2. Follow IBM's upgrade documentation for your specific deployment. 3. Restart the application services after installation.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the IBM SOAR QRadar Plugin App to only trusted IP addresses and networks using firewall rules.
Web Application Firewall
allDeploy a WAF with rules to block directory traversal patterns (../, ..\, etc.) in URL requests.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable system from sensitive networks and the internet.
- Deploy file system monitoring and integrity checking to detect unauthorized file access attempts.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of IBM SOAR QRadar Plugin App via the application interface or configuration files. If version is between 1.0 and 5.0.3 inclusive, the system is vulnerable.Check Version:
Check the application's admin interface or configuration files for version information (specific command varies by deployment).Verify Fix Applied:
After patching, verify the version shows 5.0.4 or later. Test with controlled directory traversal attempts to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing ../ or ..\ sequences in URLs
- Failed file access attempts to sensitive paths
- Unusual file read operations from web application logs
Network Indicators:
- HTTP requests with URL-encoded directory traversal patterns (%2e%2e%2f, etc.)
- Traffic spikes to the application from unexpected sources
SIEM Query:
source="web_logs" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*" OR url="*%2e%2e%5c*")