Arctic Wolf has recently worked on multiple incident response cases where we have observed a Cactus ransomware campaign exploiting vulnerabilities in Qlik Sense to gain initial access. Based on available evidence, we assess that all vulnerabilities exploited were previously identified by researchers from Praetorian, involving CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365.
On August 29, 2023, Qlik published a support article detailing two vulnerabilities which when successfully exploited in tandem could lead to an unauthenticated threat actor achieving remote code execution (RCE).
CVE-2023-41266: A path traversal vulnerability stemming from improper user input validation which could allow a remote, unauthenticated threat actor to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow them to send further requests to unauthorized endpoints.
CVE-2023-41265: An HTTP tunnelling vulnerability due to improper validation of HTTP headers. If successfully exploited a threat actor could elevate their privileges and execute HTTP requests on the backend server hosting the software.
On September 20, 2023, Qlik had to put out another article to address a new vulnerability (CVE-2023-48365) as a result of an incomplete fix for CVE-2023-41265. Researchers at Praetorian were able to demonstrate how threat actors could bypass the original fix by further modifying their malicious HTTP request. The patch for CVE-2023-48365 also includes the fixes for CVE-2023-41265 and CVE-2023-41266.
Recommendations for CVE-2023-41265, CVE-2023-41266 & CVE-2023-48365
Upgrade Qlik Enterprise for Windows
Arctic Wolf strongly recommends upgrading Qlik Enterprise for Windows to a fixed version. Qlik software can be downloaded from the Qlik Download page (login required).
|All versions prior to and including:
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
The Arctic Wolf Labs Threat Intelligence Research Team has identified that these vulnerabilities are being actively exploited in what appears to be an active ransomware campaign. Click here to learn more.