Login Sign Up

CVE-2023-38736

7.5 HIGH

📋 TL;DR

This vulnerability allows local users on systems with IBM QRadar WinCollect Agent installed to escalate their privileges to SYSTEM level. It affects IBM QRadar WinCollect Agent versions 10.0 through 10.1.6 when configured to run with ADMIN or SYSTEM permissions. Normal users can exploit this to gain full system control.

💻 Affected Systems

Products:
  • IBM QRadar WinCollect Agent
Versions: 10.0 through 10.1.6
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when installed to run as ADMIN or SYSTEM. Other configurations may not be affected.

📦 What is this software?

Qradar Wincollect by Ibm

View all CVEs affecting Qradar Wincollect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement across the network.

🟠

Likely Case

Local users escalate to SYSTEM privileges, allowing them to install malware, modify system configurations, access sensitive data, and bypass security controls.

🟢

If Mitigated

With proper access controls and monitoring, exploitation attempts can be detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Internal users with local access to affected systems can exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local user access. No public exploit code identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.7 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7030703

Restart Required: Yes

Instructions:

1. Download IBM QRadar WinCollect Agent version 10.1.7 or later from IBM Fix Central. 2. Stop the WinCollect service. 3. Install the updated version. 4. Restart the service. 5. Verify the installation.

🔧 Temporary Workarounds

Change Service Account

windows

Configure WinCollect Agent to run under a non-privileged service account instead of ADMIN or SYSTEM

sc config WinCollect obj= "NT AUTHORITY\LocalService"
sc config WinCollect password= ""

Restrict Local Access

windows

Implement strict access controls to limit which users can log into affected systems

🧯 If You Can't Patch

  • Implement strict least privilege access controls on affected systems
  • Monitor for privilege escalation attempts using security tools and logs

🔍 How to Verify

Check if Vulnerable:

Check WinCollect Agent version and service configuration. Versions 10.0-10.1.6 running as ADMIN/SYSTEM are vulnerable.

Check Version:

wmic product where "name like 'IBM QRadar WinCollect Agent%'" get version

Verify Fix Applied:

Verify WinCollect Agent version is 10.1.7 or later and service is running properly.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • WinCollect service configuration changes
  • Process creation with SYSTEM privileges from non-privileged users

Network Indicators:

  • Unusual outbound connections from affected systems

SIEM Query:

source="WinCollect" AND (event_id=4688 OR event_id=4672) AND user!="SYSTEM" AND privilege="SeDebugPrivilege"

📊 Metadata

CVE ID: CVE-2023-38736
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: September 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON