by Excellium SA

Abstract Advisory Information

Since version v7.3.0, authentication on Qradar can be federated to external authentication services, such as LDAP, Active Directory or Radius.

When this feature is used, special care should be put on the configuration if local fallback is enabled.

Local fallback is disabled by default, except for the default administrator account, named admin, for which it is always enabled by default.

While it prevents the administrative user from being locked out of the system, it also means you must ensure that the configured external authentication

provider is trustworthy. Indeed, as there are no local-only accounts at the moment, an admin account created in the external authentication provider would be de facto admin of the Qradar as well.

CERT-XLM highly recommends following the deployment best practices indicated by the vendor when using these features.

Authors: Sébastien Kaiser (Excellium Services) and Jonathan Krier (Quintet)

Version affected

Qradar v7.3.0 and higher


– Documentation update: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/c_qradar_adm_auth_ovrvw.html
– Deployment best practices: https://www.ibm.com/support/pages/node/6367391

Vulnerability Disclosure Timeline

03/08/2020: potential risks in configuration discovered
25/08/2020: acknowledgement of IBM PSIRT
11/11/2020: Documentation update describing the potential risks
18/11/2020: IBM PSIRT confirms 2Q21 as the anticipated target for security enhancements in authentication