Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.6333
IBM QRadar Wincollect agent is vulnerable to using
components with known vulnerabilities
6 December 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security QRadar SIEM
Publisher: IBM
Operating System: Windows
Resolution: None
CVE Names: CVE-2022-42916 CVE-2022-42915 CVE-2022-37434
CVE-2022-35260 CVE-2022-35252 CVE-2022-32221
CVE-2022-32208 CVE-2022-32207 CVE-2022-32206
CVE-2022-32205 CVE-2022-2097 CVE-2018-25032
Original Bulletin:
https://www.ibm.com/support/pages/node/6845365
Comment: CVSS (Max): 8.2 CVE-2022-32221 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM QRadar Wincollect agent is vulnerable to using
components with known vulnerabilities
Document Information
Document number : 6845365
Modified date : 05 December 2022
Product : IBM Security QRadar SIEM
Software version : 10
Operating system(s): Windows
Summary
The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools. IBM has addressed the
relevant vulnerabilities.
Vulnerability Details
CVEID: CVE-2022-42916
DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive
information, caused by a HSTS bypass flaw . By sending a specially-crafted URL
with ASCII counterparts as part of the IDN conversion in host name, an attacker
could exploit this vulnerability to obtain sensitive information from
clear-text HTTP transmission, and use this information to launch further
attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
239061 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-32221
DESCRIPTION: cURL libcurl could allow a remote attacker to bypass security
restrictions, caused by a flaw when using the read callback
(CURLOPT_READFUNCTION) to ask for data to send. By sending a specially-crafted
request, an attacker could exploit this vulnerability to send wrong data or
doing a use-after-free is not present in libcurl code.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
239058 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)
CVEID: CVE-2022-35260
DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a
stack-based buffer overflow. By persuading a victim to open a specially-crafted
netrc file, a remote attacker could exploit this vulnerability to cause a
segfault, and results in a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
239059 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-42915
DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a
double-free flaw in the error/cleanup handling. By sending a specially-crafted
CONNECT request, a remote attacker could exploit this vulnerability to cause
HTTP proxy to refuse the request, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
239060 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-37434
DESCRIPTION: zlib is vulnerable to a heap-based buffer overflow, caused by
improper bounds checking by inflate in inflate.c. By using a large gzip header
extra field, a remote attacker could overflow a buffer and execute arbitrary
code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
232849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2022-32206
DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a
flaw in the number of acceptable "links" in the "chained" HTTP compression
algorithms. By persuading a victim to connect a specially-crafted server, a
remote attacker could exploit this vulnerability to insert a virtually
unlimited number of compression steps, and results in a denial of service
condition.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
229740 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2022-32207
DESCRIPTION: cURL libcurl could allow a remote attacker to obtain sensitive
information, caused by improper preservation of permissions when saving
cookies, alt-svc and hsts data to local files. By sending a specially-crafted
request, an attacker could exploit this vulnerability to obtain sensitive
information, and use this information to launch further attacks against the
affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
229741 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-32208
DESCRIPTION: cURL libcurl is vulnerable to a man-in-the-middle attack, caused
by a flaw in the handling of message verification failures. An attacker could
exploit this vulnerability to launch a man-in-the-middle attack and gain access
to the communication channel between endpoints to inject data to the client..
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
229742 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2022-32205
DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by an
issue with the ability to set excessive amounts of Set-Cookie: headers in a
HTTP response to curl by a server. By persuading a victim to connect a
specially-crafted server, a remote attacker could exploit this vulnerability to
create requests that become larger than the threshold, and results in a denial
of service condition.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
229739 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2022-35252
DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a
flaw when cookies contain control codes are later sent back to an HTTP(S)
server. By sending a specially-crafted request, a remote attacker could exploit
this vulnerability to cause a "sister site" to deny service to siblings.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
234980 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2022-2097
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by improper encryption of data by the AES OCB mode for
32-bit x86 platforms using the AES-NI assembly optimised implementation. By
sending a specially-crafted request, an attacker could exploit this
vulnerability to obtain sensitive information, and use this information to
launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
230425 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-25032
DESCRIPTION: Zlib is vulnerable to a denial of service, caused by a memory
corruption in the deflate operation. By using many distant matches, a remote
attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
222615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM X-Force ID: 212233
DESCRIPTION: d3-color is vulnerable to a denial of service, caused by
improper input validation. By sending a specially-crafted string that starts
with the letter 'A' to the rgb() and hrc() functions, a remote attacker could
exploit this vulnerability to cause a regular expression denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
212233 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+-----------------------+---------------+
|Affected Product(s) |Version(s) |
+-----------------------+---------------+
|QRadar WinCollect Agent|10.0.0 - 10.1.0|
+-----------------------+---------------+
Remediation/Fixes
IBM recommends customers upgrade their systems promptly.
There is a new upgrade for the Wincollect standalone agent. The following
Wincollect standalone agent versions can be used to upgrade the affected
versions to resolve the vulnerability. For information on how to upgrade your
WinCollect version, see the WinCollect 10.1.1 release notes:
https://www.ibm.com/support/pages/node/6842161
Download and install the Wincollect standalone agent version 10.1.1:
7.5
+-------------------------+-------+-------------------------------------------+
|Product |Version|Firmware |
| |(s) | |
+-------------------------+-------+-------------------------------------------+
|QRadar WinCollect |86-bit |7.5.0-QRADAR-AGENT_x86_WINCOLLECT-10.1.1-30|
|Standalone Agent | | |
+-------------------------+-------+-------------------------------------------+
|QRadar WinCollect |64-bit |7.5.0-QRADAR-AGENT_x64_WINCOLLECT-10.1.1-30|
|Standalone Agent | | |
+-------------------------+-------+-------------------------------------------+
7.4
+-------------------------+-------+-------------------------------------------+
|Product |Version|Firmware |
| |(s) | |
+-------------------------+-------+-------------------------------------------+
|QRadar WinCollect |86-bit |7.4.0-QRADAR-AGENT_x86_WINCOLLECT-10.1.1-30|
|Standalone Agent | | |
+-------------------------+-------+-------------------------------------------+
|QRadar WinCollect |64-bit |7.4.0-QRADAR-AGENT_x64_WINCOLLECT-10.1.1-30|
|Standalone Agent | | |
+-------------------------+-------+-------------------------------------------+
Workarounds and Mitigations
None
Change History
01 Dec 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY47hl8kNZI30y1K9AQhlRhAApd2jVudASMbrawg9Og3J9XunkFbKu0yd
p2zMv7Sb73HPJ17bhbSSo6gdiMyUh5pbMDtWx3mklpDqEwT3mYCzV4hZURVflK/v
j9Cz4jqpPLP8O7Q1gdlTYh/9WBUiS0OYq0kn0MKzDVLp2OXTXhqb2UUA5r2g/29i
49b0ARhRB2lKQFhW0Rrv0FGd6fY5Q4pX2ZYlgeGWbL9SyCXfyR373w815z/4NPCd
xypSxfn5TlDeqGHP8NvjYi/uMWJlOWsl4jdlvzC9aw2U3lQ9X8XVoBfa3Ln7oMuf
y+CUfw/KMhs/9dPfLCmgyjV0Q9Es6WK+gYfX8BKwMKtRQ385xOfOux0lL0lNdi4u
+siVYO1G0jq056nbn1DUbRxLwmAIGRTFduqsWdcuRxEAUGE6Ah8XlmjObJHKj7JB
Ixz5ljiqNXXQB/hrswOkSAD3TTEHLo2vhlvI6N/k8TVCwjI3IVNsiTWbJHYmSolw
ta1vv89rtLhDMaSajgEb6P7C7AaBicoC4piH2NluO211lFP4XcVoeY0jzoyVNMdc
qu5RWMT6eGztbt55Mtw78CpnrGCge2ZSPS1Ck3MsWjMeqPyOl4d4vlADiOgLhgGL
PDu809K9ta3qoWKnPfNrbQskrK3Bz7azWeXjFrfP4/0b/aguizCHzRKsZo0HAYfI
YWyiTDJKDr0=
=/7HS
-----END PGP SIGNATURE-----