CVE-2023-41265, CVE-2023-41266 & CVE-2023-48365: Multiple Vulnerabilities in Qlik Sense Enterprise Actively Exploited

Share :

Arctic Wolf has recently worked on multiple incident response cases where we have observed a Cactus ransomware campaign exploiting vulnerabilities in Qlik Sense to gain initial access. Based on available evidence, we assess that all vulnerabilities exploited were previously identified by researchers from Praetorian, involving CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365. 

On August 29, 2023, Qlik published a support article detailing two vulnerabilities which when successfully exploited in tandem could lead to an unauthenticated threat actor achieving remote code execution (RCE). 

CVE-2023-41266: A path traversal vulnerability stemming from improper user input validation which could allow a remote, unauthenticated threat actor to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow them to send further requests to unauthorized endpoints.  

CVE-2023-41265: An HTTP tunnelling vulnerability due to improper validation of HTTP headers. If successfully exploited a threat actor could elevate their privileges and execute HTTP requests on the backend server hosting the software. 

On September 20, 2023, Qlik had to put out another article to address a new vulnerability (CVE-2023-48365) as a result of an incomplete fix for CVE-2023-41265. Researchers at Praetorian were able to demonstrate how threat actors could bypass the original fix by further modifying their malicious HTTP request. The patch for CVE-2023-48365 also includes the fixes for CVE-2023-41265 and CVE-2023-41266. 

Recommendations for CVE-2023-41265, CVE-2023-41266 & CVE-2023-48365

Upgrade Qlik Enterprise for Windows 

Arctic Wolf strongly recommends upgrading Qlik Enterprise for Windows to a fixed version. Qlik software can be downloaded from the Qlik Download page (login required).  

Product  Affected Version  CVE  Fixed Version 
Qlik Enterprise
for Windows
 
All versions prior to and including: 

  • August 2023 Patch 1 
  • May 2023 Patch 5 
  • February 2023 Patch 9 
  • November 2022 Patch 11 
  • August 2022 Patch 13 
  • May 2022 Patch 15 
  • February 2022 Patch 14 
  • November 2021 Patch 16 
CVE-2023-41265

CVE-2023-41266

CVE-2023-48365 

  • August 2023 Patch 2 
  • May 2023 Patch 6 
  • February 2023 Patch 10 
  • November 2022 Patch 12 
  • August 2022 Patch 14 
  • May 2022 Patch 16 
  • February 2022 Patch 15 
  • November 2021 Patch 17 

 

Please follow your organization’s patching and testing guidelines to avoid any operational impact.  

The Arctic Wolf Labs Threat Intelligence Research Team has identified that these vulnerabilities are being actively exploited in what appears to be an active ransomware campaign. Click here to learn more

References 

  1. Qlik advisory for CVE-2023-41265 & CVE-2023-41266 
  2. Praetorian writeup (CVE-2023-41265 & CVE-2023-41266)
  3. Qlik advisory for CVE-2023-48365 
  4. Praetorian writeup (CVE-2023-48365) 
James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter