Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3144
QRadar Risk Manager: Adobe Flash end of life and changes to
Configuration Source Management (CSM)
14 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: QRadar Risk Manager
Publisher: IBM
Operating System: Linux variants
Impact/Access: Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
Original Bulletin:
https://www.ibm.com/support/pages/node/6326009
Comment: QRadar Risk Manager changes related to Adobe Flash end of life
- --------------------------BEGIN INCLUDED TEXT--------------------
QRadar Risk Manager: Adobe Flash end of life and changes to Configuration
Source Management (CSM)
Document Information
More support for: IBM Security QRadar Risk Manager
Component: QRadar Risk and Vulnerability Manager
Software version: 7.3.3, 7.4.1
Operating system(s): Linux
Document number: 6326009
Modified date: 11 September 2020
Administrators with QRadar Risk Manager appliances in their deployment are
being alerted to changes in Configuration Source Manager due to the approaching
end of life of Adobe Flash. Due to removal of Adobe Flash, the Configuration
Source Management (CSM) functionality is integrated in to the Configuration
Monitor. The updated Configuration Monitor interface is available to
administrators who upgrade their QRadar deployment in upcoming fix pack
releases.
QRadar Risk Manager administrators are being alerted to an upcoming user
interface change to the Configuration Source Management (CSM) component. Due to
the End of Life (EOL) announcement for Adobe Flash, QRadar Risk Manager has
deprecated the default Configuration Source Management interface and integrated
device backup and configuration functionality in to the Configuration Monitor.
The Configuration Monitor interface includes the same device backup
functionality, but was developed without Adobe Flash to ensure that
administrators can comply with Adobe's 31 December 2020 end of life
announcement. Administrators who are in corporate environments who are required
to remove Adobe Flash can discuss upgrades to a QRadar version that includes
the updates to the Configuration Monitor. All created schedules (Scheduled
Discovery, jobs) are automatically moved from the legacy Admin tab
Configuration Source Management interface to the Configuration Monitor on the
Risks tab after you upgrade.
Product versions
The following versions integrate scheduling and device configurations on the
Risks tab in to the Configuration Monitor:
o QRadar Risk Manager 7.4.1 fix pack 1 (unreleased) and later
o QRadar Risk Manager 7.3.3 fix pack 5 (unreleased) and later
How to identify the issue
A notice is displayed in the Configuration Source Management component to
advise administrators that the Configuration Source Management is deprecated.
Administrators who see this information message can upgrade to a QRadar version
that includes the Configuration Monitor to avoid interruptions with device
configurations after 31 December 2020 due to Adobe Flash end of life (EOL)
issues.
image 5858
Figure 1: Legacy Configuration Source Management user interface for Adobe
Flash.
image 5883
Figure 2: Browsers which block Adobe Flash by default do not display the
Configuration Source Management user interface.
Locating the Configuration Monitor
QRadar 7.4.1 fix pack 1 and QRadar 7.3.3 fix pack 5 updates move the
functionality of discovery, backups, credentials and scheduled to the Risks
tab. Administrators can use the Configuration Monitor to make changes to their
devices after an upgrade to the QRadar deployment. The functionality between
Configuration Source Manager and the Configuration Monitor is identical and the
Configuration Monitor does not include dependencies on Adobe Flash.
Procedure
1. Log in to QRadar.
2. Click the Risks tab.
3. In the Risk Manager pane, click Configuration Monitor.
image 5884
Figure 3: Location of the Configuration Monitor on the Risks tab.
4. Use the Configuration Monitor to manage your devices.
Schedules and device backups
Schedules Configuration for QRadar Risk Manager allows administrators to define
backup jobs or device discovery in the Configuration Monitor. Schedules are now
setup using the Configuration Monitor. Devices can be added to the schedule and
a trigger defines the time and recurrence for the backup or device discovery,
which can occur either once, daily, weekly, monthly, or defined as a cron job
expression.
image 5888Figure 4: Schedules are now defined in the Configuration Monitor for
the Risk Manager versions defined in this technical note.
Procedure
1. Click the Risks tab.
2. Expand the Configuration Monitor and select Schedules.
3. On the Scheduled page, click Add to create a new schedule or select and
existing schedule and click Edit.
4. Type a unique Name for the schedule.
5. Select a Group from the drop-down list or type a new Group name.
6. Select a schedule type:
Select a schedule type to either backup or discover new devices
+----------+-----------------------------------------------------------------------------------+
| Option | Description |
+----------+-----------------------------------------------------------------------------------+
|Backup |Backup schedules allow users to collect device configuration changes from |
| |discovered network devices. |
+----------+-----------------------------------------------------------------------------------+
|Discovery |Updates the telemetry (neighbor) information for devices and adds newly |
| |discovered network devices. |
+----------+-----------------------------------------------------------------------------------+
Note: If a discovery schedule exists, you must select Backup. You cannot
change the Type of an existing schedule.
7. If you are creating a discovery schedule and want to add newly discovered
devices to a product, select Crawl.
8. If you are creating a backup schedule, click Edit and add or remove devices
to be targeted for backup. Then perform one of the following actions
9. Use the arrows to move devices from the Available Devices list to the
Selected Devices list.
10. Select Search to configure a search to dynamically target devices based on
IP address, operating system, model, or hostname.
Tip: You can search for Admin or Interface IP addresses with a
comma-separated list of IP addresses or CIDR ranges.
11. Select a Trigger to specify the frequency you want the schedule to run.
o Once
o Daily
o Weekly
o Monthly
o Cron
image 6055
Note: Cron expressions that repeat more than once per hour are not
accepted.
12. Click Save.
Device discovery
Device Discovery is now located in the Configuration Monitor on the Risks tab
for the QRadar Risk Manager versions discussed in this technical note. Device
Discovery streamlines adding network devices through network management
appliances, such as Check Point Management Servers, Palo Alto Panorama, Juniper
NSM, or by crawling the network with SNMP for discoverable IP addresses. The
Device Discovery functions in QRadar Risk Manager allow users to set up
multiple networks and run discovery to automatically add new firewalls, IPS,
and other network devices so they can be backed up and added to the Topology.
It is important that administrators do not add overlapping address ranges or
CIDR addresses when discovering devices to prevent duplicates.
image 5885Figure 5: Device Discovery in the Configuration Monitor displays the
status or logs for added devices.
Credentials
Device credentials can be added to access and download the configuration of
devices such as firewalls, routers, switches, or IPSs in the Configuration
Monitor on the Risks tab. Administrators can add credentials for individual
devices or for multiple network devices that use the same credentials and
prioritize the credential order QRadar Risk Manager uses to back up network
device configurations.
image 5887
Figure 6: Device credentials can be added in the Configuration Monitor.
Configuring protocols
QRadar Risk Manager users can define the protocol, port, and other details
required to communicate to a set of network devices. You can assign devices to
network groups, which allows you to group together protocol sets and address
sets for your devices.
Procedure
1. On the Risk tab, click Configuration Monitor.
2. In the navigation menu, click Protocols.
3. Select Add from the toolbar.
4. Type a Name for the protocol set.
5. In the Address Sets section, click Add.
6. In the Add Address field, type the IP address or CIDR range that you want
to apply to the network group, then click OK.
Tip: You can use IP4 or IP6 address or CIDR ranges.
7. Select the check box for each protocol you want to enable.
Tip: Select a protocol and click Increase Priority or Decrease Priority to
adjust the order you want the protocols to be used.
8. Select a protocol to configure its relevant properties. You can configure
the following values for the protocol parameters:
Table 1. Protocol parameters
+--------+-------------------------------------------------------------------------------------------+
|Protocol| Parameter description |
+--------+-------------------------------------------------------------------------------------------+
| |Configure the following parameters: |
| | |
| | o Port- Type the port on which you want the SSH protocol to use when |
| | communicating with and backing up network devices. The default SSH protocol |
| | port is 22. |
|SSH | o Version- Select the version of SSH that you want this network group to use |
| | when communicating with network devices. The available options are as |
| | follows: |
| | o Auto- This option automatically detects the SSH version to use when |
| | communicating with network devices. |
| | 1 - Use SSH-1 when communicating with network devices. |
| | 2 - Use SSH-2 when communicating with network devices. |
+--------+-------------------------------------------------------------------------------------------+
|Telnet |Type the port number you want the Telnet protocol to use when communicating |
| |with and backing up network devices. The default Telnet protocol port is 23. |
+--------+-------------------------------------------------------------------------------------------+
|HTTPS |Type the port number you want the HTTPS protocol to use when communicating with |
| |and backing up network devices. The default HTTPS protocol port is 443 |
+--------+-------------------------------------------------------------------------------------------+
|HTTP |Type the port number you want the HTTP protocol to use when communicating with |
| |and backing up network devices. The default HTTP protocol port is 80. |
+--------+-------------------------------------------------------------------------------------------+
|SCP |Type the port number you want the SCP protocol to use when communicating with |
| |and backing up network devices. The default SCP protocol port is 22. |
+--------+-------------------------------------------------------------------------------------------+
|SFTP |Type the port number you want the SFTP protocol to use when communicating with |
| |and backing up network devices. The default SFTP protocol port is 22. |
+--------+-------------------------------------------------------------------------------------------+
|FTP |Type the port number you want the FTP protocol to use when communicating with |
| |and backing up network devices. The default SFTP protocol port is 22. |
+--------+-------------------------------------------------------------------------------------------+
|TFTP |The TFTP protocol does not have any configurable options. |
+--------+-------------------------------------------------------------------------------------------+
| |Configure the following parameters: |
| | |
| | o Port - Type the port number you want the SNMP protocol to use when |
| | communicate with and backing up network devices. |
| | o Timeout(ms) - Select the amount of time, in milliseconds, that you want to |
| | use to determine a communication timeout. |
|SNMP | o Retries - Select the number of times you want to attempt to retry |
| | communications to a device. |
| | o Version - Select the version of SNMP you want to use for communications. |
| | The options are v1, v2, or v3. |
| | ? V3 Authentication - Select the algorithm you want to use to |
| | authenticate SNMP traps. |
| | ? V3 Encryption - Select the protocol you want to use to decrypt SNMP |
| | traps. |
+--------+-------------------------------------------------------------------------------------------+
9. Click Save.
Tip: After you create your protocol sets, select a protocol set and click
Increase Priority or Decrease Priority to adjust the order you want the
protocol sets to be checked.
Notice: Adobe, the Adobe logo, PostScript, and the PostScript logo are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, and/or other countries.
Cross-reference information
Product Component Platform Version
IBM Security QRadar QRadar Risk and Vulnerability Linux 7.3.3,
SIEM Manager 7.4.1
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX189/+NLKJtyKPYoAQgNNw/9HWqYEUU/P9m/uL0pZSRrlUJrgY8KK8HG
kWVqMhkMQuBfb+JjEkfrdUli7SEEdb0ctKl+3oqt0oO7XKvgChEeSHO0mVR0Bb4w
5Sj/Q34S6mePJsnbCB9FBFQmd45J3Q4Wx085YXY1c2OFmbzeoGpNvEzvi2X8Gb/c
jdhm/Edi6WOqKCuyk/axJ0eMOUcmK+VqOFrWWIEQdEt9P9gb12WNPMsuv5kWMIvT
H8DfqPFLwsr5qspDM8MdP4PbSTzMkRfVwtw0O11xde3T/tfGsNpa2dJ4g6CUKswZ
0MypeFIx+/1p+tvTmkqpWdTthS5/bgb100RdAf59eL6f8cYFiomb83XP/PShdODP
EzUD175+LRBJ1IAFPYjCLR1IF34zNYaMQ5HNwJo1QhaH87v6YqPKgT5KxCpuhsJy
lB1s2EhK60TsSCXIIc4a4ieyeYeI37z14K6ptiROZ4xeNo58g7PNuCziZw4P3Se3
5Ub71ah4olP6Sw6AkSYKSSKflKLVpsQm0h0Bz/kaElUKQCZ0WZ7dfpFmE1vTJGDs
fQLALzgCAimQZ9FkPUSZffGTkmYFuRrjMbcdmJ2rUDcSfe3BLIPpj2EsDhXQlICF
WVdf72A+v5FWoWKMcnrNMYGtTYOCrOa4NY8IN9nmD3GVmXAf+MPxWoS+MSVpMMfF
u2oJPh9IuAU=
=5OVL
-----END PGP SIGNATURE-----