CVE-2023-38736: 
IBM WinCollect vulnerability analysis and mitigation

IBM QRadar WinCollect Agent versions 10.0 through 10.1.6, when installed to run as ADMIN or SYSTEM, contains a local privilege escalation vulnerability. The vulnerability was discovered and disclosed in September 2023, affecting the WinCollect Agent component of IBM QRadar SIEM running on Windows platforms (IBM Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. IBM Corporation assigned a slightly different score of 7.5 (HIGH) with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists in the configuration where WinCollect Agent is installed with administrative or system privileges (NVD).

If exploited, this vulnerability allows a normal user with local access to escalate their privileges to SYSTEM level permissions, potentially gaining complete control over the affected system (IBM Advisory).

IBM has released version 10.1.7 to address this vulnerability. For upgrades to 10.1.7, specific remediation steps are required: When using the default path for installation location and data, users must rerun the installer and select the 'modify' option. For custom paths, ensure parent directories have appropriate file permissions to prevent unwanted modifications to WinCollect data and program files. Fresh installations of 10.1.7 or greater are not affected by this vulnerability (IBM Advisory).