CVE-2022-22424 in QRadar SIEM
Summary
by MITRE • 07/20/2022
IBM QRadar SIEM 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information from the TLS key file due to incorrect file permissions. IBM X-Force ID: 223597.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/15/2022
IBM QRadar SIEM versions 7.3, 7.4, and 7.5 contain a critical information disclosure vulnerability that affects local users with access to the system. The flaw stems from improper file permissions assigned to the TLS key file, which allows unauthorized local users to read sensitive cryptographic material. This vulnerability represents a direct violation of the principle of least privilege and exposes the system to potential cryptographic attacks. The issue falls under CWE-732, which specifically addresses incorrect permissions for a resource that should be protected, making it a fundamental access control flaw. The vulnerability exists because the TLS key file is not properly secured with restrictive permissions, enabling local users to access private cryptographic keys that should remain protected.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally compromises the security posture of the QRadar SIEM environment. When local users can access TLS key files, they gain the ability to decrypt communications, impersonate services, and potentially establish persistent access to the system. This creates a significant attack surface that aligns with ATT&CK technique T1552.001, which covers the acquisition of credentials through the compromise of key material. The vulnerability enables attackers to perform man-in-the-middle attacks against communications between QRadar components and external systems, undermining the integrity and confidentiality guarantees that TLS encryption is designed to provide. The exposure of private keys can lead to complete system compromise and data breaches that could affect thousands of monitored network events and security alerts.
Organizations running affected QRadar versions face substantial risk from this vulnerability, particularly in environments where multiple users have local access to the system. The flaw can be exploited by any local user, including those with minimal privileges, making it especially dangerous in multi-tenant or shared hosting environments. The vulnerability directly impacts the security of sensitive data that QRadar processes, including network traffic logs, security events, and threat intelligence. IBM has addressed this issue through security updates that correct file permissions for TLS key files, requiring administrators to apply the latest patches immediately. The remediation process involves verifying and correcting file permissions for the TLS key files to ensure that only authorized system processes can access these critical cryptographic materials. Organizations should also implement regular security audits to verify that cryptographic key files maintain appropriate permissions and conduct privilege reviews to minimize local access rights. The vulnerability serves as a reminder of the critical importance of proper file permission management in security-critical applications and demonstrates how seemingly simple misconfigurations can lead to severe security consequences.