Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6333 IBM QRadar Wincollect agent is vulnerable to using components with known vulnerabilities 6 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security QRadar SIEM Publisher: IBM Operating System: Windows Resolution: None CVE Names: CVE-2022-42916 CVE-2022-42915 CVE-2022-37434 CVE-2022-35260 CVE-2022-35252 CVE-2022-32221 CVE-2022-32208 CVE-2022-32207 CVE-2022-32206 CVE-2022-32205 CVE-2022-2097 CVE-2018-25032 Original Bulletin: https://www.ibm.com/support/pages/node/6845365 Comment: CVSS (Max): 8.2 CVE-2022-32221 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- IBM QRadar Wincollect agent is vulnerable to using components with known vulnerabilities Document Information Document number : 6845365 Modified date : 05 December 2022 Product : IBM Security QRadar SIEM Software version : 10 Operating system(s): Windows Summary The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM has addressed the relevant vulnerabilities. Vulnerability Details CVEID: CVE-2022-42916 DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a HSTS bypass flaw . By sending a specially-crafted URL with ASCII counterparts as part of the IDN conversion in host name, an attacker could exploit this vulnerability to obtain sensitive information from clear-text HTTP transmission, and use this information to launch further attacks against the affected system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 239061 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2022-32221 DESCRIPTION: cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw when using the read callback (CURLOPT_READFUNCTION) to ask for data to send. By sending a specially-crafted request, an attacker could exploit this vulnerability to send wrong data or doing a use-after-free is not present in libcurl code. CVSS Base score: 8.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 239058 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) CVEID: CVE-2022-35260 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a stack-based buffer overflow. By persuading a victim to open a specially-crafted netrc file, a remote attacker could exploit this vulnerability to cause a segfault, and results in a denial of service condition. CVSS Base score: 5.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 239059 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2022-42915 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a double-free flaw in the error/cleanup handling. By sending a specially-crafted CONNECT request, a remote attacker could exploit this vulnerability to cause HTTP proxy to refuse the request, and results in a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 239060 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-37434 DESCRIPTION: zlib is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by inflate in inflate.c. By using a large gzip header extra field, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 232849 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2022-32206 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a flaw in the number of acceptable "links" in the "chained" HTTP compression algorithms. By persuading a victim to connect a specially-crafted server, a remote attacker could exploit this vulnerability to insert a virtually unlimited number of compression steps, and results in a denial of service condition. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 229740 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2022-32207 DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive information, caused by improper preservation of permissions when saving cookies, alt-svc and hsts data to local files. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 229741 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2022-32208 DESCRIPTION: cURL libcurl is vulnerable to a man-in-the-middle attack, caused by a flaw in the handling of message verification failures. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to inject data to the client.. CVSS Base score: 3.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 229742 for the current score. CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) CVEID: CVE-2022-32205 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by an issue with the ability to set excessive amounts of Set-Cookie: headers in a HTTP response to curl by a server. By persuading a victim to connect a specially-crafted server, a remote attacker could exploit this vulnerability to create requests that become larger than the threshold, and results in a denial of service condition. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 229739 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2022-35252 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a flaw when cookies contain control codes are later sent back to an HTTP(S) server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a "sister site" to deny service to siblings. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 234980 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2022-2097 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by improper encryption of data by the AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 230425 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-25032 DESCRIPTION: Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 222615 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) IBM X-Force ID: 212233 DESCRIPTION: d3-color is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted string that starts with the letter 'A' to the rgb() and hrc() functions, a remote attacker could exploit this vulnerability to cause a regular expression denial of service. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 212233 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +-----------------------+---------------+ |Affected Product(s) |Version(s) | +-----------------------+---------------+ |QRadar WinCollect Agent|10.0.0 - 10.1.0| +-----------------------+---------------+ Remediation/Fixes IBM recommends customers upgrade their systems promptly. There is a new upgrade for the Wincollect standalone agent. The following Wincollect standalone agent versions can be used to upgrade the affected versions to resolve the vulnerability. For information on how to upgrade your WinCollect version, see the WinCollect 10.1.1 release notes: https://www.ibm.com/support/pages/node/6842161 Download and install the Wincollect standalone agent version 10.1.1: 7.5 +-------------------------+-------+-------------------------------------------+ |Product |Version|Firmware | | |(s) | | +-------------------------+-------+-------------------------------------------+ |QRadar WinCollect |86-bit |7.5.0-QRADAR-AGENT_x86_WINCOLLECT-10.1.1-30| |Standalone Agent | | | +-------------------------+-------+-------------------------------------------+ |QRadar WinCollect |64-bit |7.5.0-QRADAR-AGENT_x64_WINCOLLECT-10.1.1-30| |Standalone Agent | | | +-------------------------+-------+-------------------------------------------+ 7.4 +-------------------------+-------+-------------------------------------------+ |Product |Version|Firmware | | |(s) | | +-------------------------+-------+-------------------------------------------+ |QRadar WinCollect |86-bit |7.4.0-QRADAR-AGENT_x86_WINCOLLECT-10.1.1-30| |Standalone Agent | | | +-------------------------+-------+-------------------------------------------+ |QRadar WinCollect |64-bit |7.4.0-QRADAR-AGENT_x64_WINCOLLECT-10.1.1-30| |Standalone Agent | | | +-------------------------+-------+-------------------------------------------+ Workarounds and Mitigations None Change History 01 Dec 2022: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY47hl8kNZI30y1K9AQhlRhAApd2jVudASMbrawg9Og3J9XunkFbKu0yd p2zMv7Sb73HPJ17bhbSSo6gdiMyUh5pbMDtWx3mklpDqEwT3mYCzV4hZURVflK/v j9Cz4jqpPLP8O7Q1gdlTYh/9WBUiS0OYq0kn0MKzDVLp2OXTXhqb2UUA5r2g/29i 49b0ARhRB2lKQFhW0Rrv0FGd6fY5Q4pX2ZYlgeGWbL9SyCXfyR373w815z/4NPCd xypSxfn5TlDeqGHP8NvjYi/uMWJlOWsl4jdlvzC9aw2U3lQ9X8XVoBfa3Ln7oMuf y+CUfw/KMhs/9dPfLCmgyjV0Q9Es6WK+gYfX8BKwMKtRQ385xOfOux0lL0lNdi4u +siVYO1G0jq056nbn1DUbRxLwmAIGRTFduqsWdcuRxEAUGE6Ah8XlmjObJHKj7JB Ixz5ljiqNXXQB/hrswOkSAD3TTEHLo2vhlvI6N/k8TVCwjI3IVNsiTWbJHYmSolw ta1vv89rtLhDMaSajgEb6P7C7AaBicoC4piH2NluO211lFP4XcVoeY0jzoyVNMdc qu5RWMT6eGztbt55Mtw78CpnrGCge2ZSPS1Ck3MsWjMeqPyOl4d4vlADiOgLhgGL PDu809K9ta3qoWKnPfNrbQskrK3Bz7azWeXjFrfP4/0b/aguizCHzRKsZo0HAYfI YWyiTDJKDr0= =/7HS -----END PGP SIGNATURE-----