CVE-2024-51461
📋 TL;DR
This vulnerability in IBM QRadar WinCollect Agent allows remote attackers to cause denial of service by interrupting HTTP requests, leading to memory resource consumption. It affects organizations using IBM QRadar WinCollect Agent versions 10.0 through 10.1.13 for Windows event log collection.
💻 Affected Systems
- IBM QRadar WinCollect Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could exhaust memory resources on the WinCollect Agent host, causing service disruption and potentially affecting Windows event log collection for security monitoring.
Likely Case
Intermittent service interruptions affecting Windows event log collection, potentially creating gaps in security monitoring and compliance reporting.
If Mitigated
Minimal impact with proper network segmentation and monitoring in place, allowing quick detection and response to any exploitation attempts.
🎯 Exploit Status
The vulnerability description suggests remote unauthenticated exploitation is possible via HTTP request interruption.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.14 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7230614
Restart Required: Yes
Instructions:
1. Download WinCollect Agent 10.1.14 or later from IBM Fix Central. 2. Stop the WinCollect Agent service. 3. Install the updated version. 4. Restart the WinCollect Agent service. 5. Verify successful connection to QRadar console.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict network access to WinCollect Agents to only necessary QRadar console IPs and ports
Use Windows Firewall: New-NetFirewallRule -DisplayName "Block WinCollect Except QRadar" -Direction Inbound -LocalPort 514 -Protocol TCP -RemoteAddress "QRadar_Console_IP" -Action Allow
New-NetFirewallRule -DisplayName "Block All Other WinCollect" -Direction Inbound -LocalPort 514 -Protocol TCP -Action Block
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with WinCollect Agents
- Monitor WinCollect Agent memory usage and restart services if abnormal consumption is detected
🔍 How to Verify
Check if Vulnerable:
Check WinCollect Agent version via Windows Services or registry: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\WinCollect\VersionCheck Version:
reg query "HKLM\SOFTWARE\IBM\WinCollect" /v VersionVerify Fix Applied:
Verify version is 10.1.14 or later and monitor for memory consumption issues during normal operation📡 Detection & Monitoring
Log Indicators:
- High memory usage alerts from WinCollect Agent
- Service restart events for WinCollect
- Connection interruptions in QRadar WinCollect logs
Network Indicators:
- Abnormal HTTP traffic patterns to WinCollect Agent ports
- Multiple interrupted HTTP connections from single sources
SIEM Query:
SELECT * FROM events WHERE devicetype=18 AND (eventname='Service Control Manager' OR eventname='Memory Usage Alert') AND (message LIKE '%WinCollect%' OR message LIKE '%memory%high%') LAST 24 HOURS