top of page

Critical CVE-2023-41265 Vulnerability in Qlik Sense Enterprise for Windows: Remote Code Execution and Patch Guidance

CVE Image for report on CVE-2023-41265

Executive Summary

CVE-2023-41265 is a critical HTTP Request Tunneling vulnerability identified in Qlik Sense Enterprise for Windows. This vulnerability, with a CVSS v3.1 Base Score of 9.9, allows remote attackers to elevate their privileges and execute unauthenticated remote code on the backend server. The sectors and countries targeted by this vulnerability include various industries globally, with a notable impact on organizations in the United States and Europe. Immediate action is required to mitigate the risks associated with this vulnerability.

Technical Information

CVE-2023-41265 is a severe vulnerability that affects multiple versions of Qlik Sense Enterprise for Windows. The affected versions include May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier. The vulnerability arises due to improper validation of HTTP headers, which allows a remote attacker to tunnel HTTP requests. This can result in the execution of arbitrary HTTP requests by the backend server, leading to potential remote code execution and server compromise.

The vulnerability's critical nature is underscored by its CVSS v3.1 Base Score of 9.9, with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. This score indicates that the vulnerability is remotely exploitable, requires low attack complexity, and has a high impact on confidentiality, integrity, and availability.

The improper validation of HTTP headers allows attackers to craft malicious HTTP requests that can bypass security controls and execute arbitrary commands on the backend server. This can lead to unauthorized access, data exfiltration, and potential deployment of malware or ransomware.

Exploitation in the Wild

CVE-2023-41265 has been actively exploited in the wild, as evidenced by its inclusion in CISA's Known Exploited Vulnerabilities Catalog. The exploitation involves sending specially crafted HTTP requests to the vulnerable server, which then executes these requests with elevated privileges. Notable exploits and campaigns leveraging this vulnerability include the Cactus Ransomware Campaign and the ZeroQlik Detect proof-of-concept (PoC) exploit.

The Cactus Ransomware Campaign has been observed exploiting CVE-2023-41265 to gain initial access to target systems. The group uses this vulnerability to execute arbitrary HTTP requests, leading to remote code execution and subsequent deployment of ransomware. More details can be found on the Arctic Wolf Blog.

The ZeroQlik Detect PoC exploit, published by Praetorian, demonstrates how CVE-2023-41265 can be exploited. This PoC highlights the ease with which attackers can leverage this vulnerability to compromise Qlik Sense Enterprise for Windows installations. More details can be found on the Praetorian GitHub.

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the critical nature and active exploitation in the wild suggest that it could be leveraged by sophisticated threat actors. The sectors and countries targeted by this vulnerability include various industries globally, with a notable impact on organizations in the United States and Europe.

Affected Product Versions

The affected versions of Qlik Sense Enterprise for Windows include: - May 2023 Patch 3 and earlier - February 2023 Patch 7 and earlier - November 2022 Patch 10 and earlier - August 2022 Patch 12 and earlier

The fixed versions that address this vulnerability are: - August 2023 IR - May 2023 Patch 4 - February 2023 Patch 8 - November 2022 Patch 11 - August 2022 Patch 13

Workaround and Mitigation

To mitigate the risks associated with CVE-2023-41265, organizations should take the following steps:

Update to the latest patched version: Ensure that your Qlik Sense Enterprise for Windows is updated to the latest patched version as listed above.

Monitor for unusual activity: Implement monitoring to detect any unusual HTTP requests or activities that may indicate exploitation attempts.

Apply vendor recommendations: Follow the guidance provided by Qlik in their official support articles and release notes.

Additionally, organizations should consider implementing network segmentation, applying least privilege principles, and conducting regular security assessments to identify and remediate potential vulnerabilities.

References

For further details and updates, refer to the following official advisories and resources:

Rescana is here for you

At Rescana, we understand the critical importance of protecting your organization from emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of vulnerabilities like CVE-2023-41265 by providing real-time monitoring, threat intelligence, and automated remediation. We are committed to helping you safeguard your systems and data from potential attacks.

If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com. We are here to assist you in navigating the complex landscape of cybersecurity threats.

5 views0 comments

Comments


bottom of page