CVE-2024-28799 – IBM QRadar Suite and Cloud Pak for Security in ... (How to Fix)

Q: What is the severity of CVE-2024-28799?

CVE-2024-28799 has a CVSS score of 5.6 (MEDIUM). IBM QRadar Suite and Cloud Pak for Security in non-default configurations improperly display sensitive data to local privileged users during back-end commands. This vulnerability allows privileged users on the system to view information that should remain hidden, potentially exposing credentials or configuration details. Affected versions are QRadar Suite 1.10.12.0-1.10.23.0 and Cloud Pak for Security 1.10.0.0-1.10.11.0.

📋 TL;DR

IBM QRadar Suite and Cloud Pak for Security in non-default configurations improperly display sensitive data to local privileged users during back-end commands. This vulnerability allows privileged users on the system to view information that should remain hidden, potentially exposing credentials or configuration details. Affected versions are QRadar Suite 1.10.12.0-1.10.23.0 and Cloud Pak for Security 1.10.0.0-1.10.11.0.

💻 Affected Systems

Products:

IBM QRadar Suite Software
IBM Cloud Pak for Security

Versions: QRadar Suite: 1.10.12.0 through 1.10.23.0; Cloud Pak for Security: 1.10.0.0 through 1.10.11.0

Operating Systems: Linux-based systems running IBM security products

Default Config Vulnerable: ✅ No

Notes: Only affects non-default configurations. Requires local privileged user access.

📦 What is this software?

Cloud Pak For Security by Ibm

View all CVEs affecting Cloud Pak For Security →

Qradar Suite by Ibm

View all CVEs affecting Qradar Suite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privileged attacker obtains sensitive credentials or configuration data that could lead to lateral movement, privilege escalation, or compromise of other systems.

🟠

Likely Case

Authorized administrator accidentally views sensitive data during routine operations, potentially exposing credentials that could be misused.

🟢

If Mitigated

Minimal impact as only local privileged users in non-default configurations can access the data, and proper access controls limit exposure.

🌐 Internet-Facing: LOW - This is a local information disclosure requiring privileged access to the system.

🏢 Internal Only: MEDIUM - Internal privileged users could exploit this to gain unauthorized access to sensitive information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires local privileged access but exploitation is straightforward once access is obtained.

Exploitation requires existing local privileged access to the system in a non-default configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QRadar Suite: 1.10.24.0 or later; Cloud Pak for Security: 1.10.12.0 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7165488

Restart Required: Yes

Instructions:

1. Download the appropriate fix pack from IBM Fix Central. 2. Follow IBM's installation guide for your product. 3. Apply the fix pack using the product's update mechanism. 4. Restart affected services as required.

🔧 Temporary Workarounds

Restrict Local Privileged Access

all

Limit the number of users with local privileged access to affected systems.

Audit Configuration Settings

all

Review and revert any non-default configurations that might trigger the vulnerability.

🧯 If You Can't Patch

Implement strict access controls to limit local privileged users to only those who absolutely need it.
Monitor privileged user activity and implement session logging for all administrative actions.

🔍 How to Verify

Check if Vulnerable:

Check your product version against affected ranges: QRadar Suite 1.10.12.0-1.10.23.0 or Cloud Pak for Security 1.10.0.0-1.10.11.0.

Check Version:

For QRadar: Check Admin tab > System and License Management. For Cloud Pak: Use oc get pods to check container versions.

Verify Fix Applied:

Verify version is QRadar Suite 1.10.24.0+ or Cloud Pak for Security 1.10.12.0+ and check that no sensitive data is displayed during back-end commands.

📡 Detection & Monitoring

Log Indicators:

Unusual privileged user activity
Access to sensitive data files by local users
Configuration changes to back-end command settings

Network Indicators:

N/A - This is a local vulnerability

SIEM Query:

Search for privileged user sessions accessing sensitive configuration files or executing back-end commands that might trigger the disclosure.

📊 Metadata

CVE ID: CVE-2024-28799

CVSS v3 Score: 5.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-214

Published: August 14, 2024

Last Updated: September 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/287173 Vendor Advisory
https://www.ibm.com/support/pages/node/7165488 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28799, you might also want to check these: