CVE-2024-45636

Vulnerability

IBM Security QRadar EDR versions 3.12 through 3.12.24 store user credentials in plaintext. This vulnerability, identified as CWE-256, resides in the credential storage mechanism and affects all installations within the specified version range. A local privileged user can access the stored credentials by reading the plaintext files [1].

Exploitation

To exploit this vulnerability, an attacker must have local privileged access to the affected system. No user interaction or network access is required beyond the initial system compromise. The attacker can then read the plaintext credential storage, revealing sensitive authentication information [1].

Impact

Successful exploitation leads to the disclosure of user credentials, which may include passwords or other authentication secrets. This increases the risk of further unauthorized access, including potential lateral movement or privilege escalation, depending on the scope of the leaked credentials. The confidentiality impact is high, while integrity and availability are not directly affected [1].

Mitigation

IBM has released version 3.12.25 to address this issue. Users should upgrade to this fixed version as soon as possible. The QRadar EDR operator can be configured for automatic or manual upgrade approval. No workarounds or mitigations are available for versions prior to 3.12.25 [1].