CVE-2016-9738

Vulnerability

IBM QRadar SIEM versions 7.2.0 through 7.2.8 Patch 6 and 7.3.0 through 7.3.0 Patch 1 do not require users to have strong passwords by default [1]. This means that the product does not enforce password complexity or length policies out of the box, allowing users to set weak passwords that are vulnerable to automated guessing or brute-force attacks [1].

Exploitation

An attacker can exploit this weakness by performing a remote brute-force or password guessing attack against QRadar user accounts [1]. The attack is network-based, requires no authentication or user interaction, but does require high attack complexity due to the need for successful guessing across the network [1]. The attacker can use common password lists or automated tools to attempt to authenticate as legitimate users.

Impact

Successful exploitation allows the attacker to compromise user accounts, leading to a loss of confidentiality [1]. The attacker gains the privileges of the compromised user account, which could include access to sensitive security event data and administrative functions if a privileged account is compromised [1]. The CVSS vector indicates the impact is solely on confidentiality (C:H / I:N / A:N) [1].

Mitigation

According to the advisory, a fix is not provided as a direct patch [1]. Instead, administrators are expected to configure password policies within QRadar to enforce strong passwords manually [1]. The advisory states "Workarounds and Mitigations: None," meaning no official patch or workaround is available from IBM; however, the product does support custom password policies that can be implemented by administrators [1].