Description
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
EPSS Score:
93%
Comprehensive Technical Analysis of EUVD-2023-45782 (CVE-2023-41265)
Qlik Sense Enterprise for Windows – HTTP Request Tunneling Vulnerability
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
EUVD-2023-45782 (CVE-2023-41265) is a critical HTTP Request Tunneling vulnerability in Qlik Sense Enterprise for Windows, allowing unauthenticated remote attackers to elevate privileges by manipulating raw HTTP requests. The flaw enables attackers to bypass authentication controls and execute arbitrary requests on the backend repository server, leading to full system compromise.
CVSS v3.1 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 9.6 (Critical) | High impact on confidentiality, integrity, and availability. |
| Attack Vector (AV) | Network (N) | Exploitable remotely over the internet. |
| Attack Complexity (AC) | Low (L) | No specialized conditions required; straightforward exploitation. |
| Privileges Required (PR) | Low (L) | Attacker only needs basic user-level access (e.g., a valid session). |
| User Interaction (UI) | None (N) | No user interaction is required. |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component (repository server). |
| Confidentiality (C) | High (H) | Attacker can access sensitive data (e.g., credentials, business intelligence). |
| Integrity (I) | High (H) | Attacker can modify backend data or configurations. |
| Availability (A) | None (N) | No direct impact on availability (though post-exploitation could lead to DoS). |
EPSS & Exploitability
- EPSS Score: 93% (Extremely high likelihood of exploitation in the wild).
- Exploit Code Maturity: Likely functional (given the simplicity of HTTP request manipulation).
- Threat Actor Profile: Opportunistic attackers, ransomware groups, and APTs targeting exposed Qlik Sense instances.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
The vulnerability stems from improper input validation in Qlik Sense’s HTTP request handling, allowing attackers to tunnel malicious requests through seemingly legitimate ones. Key exploitation steps include:
-
Initial Access:
- Attacker identifies an exposed Qlik Sense instance (e.g., via Shodan, Censys, or manual discovery).
- No authentication is required if the system is misconfigured (e.g., default credentials, weak access controls).
-
HTTP Request Tunneling:
- Attacker crafts a malicious HTTP request with embedded commands (e.g., SQL injection, API abuse).
- The request is tunneled through the Qlik Sense proxy, bypassing authentication checks.
- The backend repository server processes the request as if it originated from a trusted source.
-
Privilege Escalation & Post-Exploitation:
- Attacker gains administrative access to the Qlik Sense repository.
- Possible actions:
- Data exfiltration (sensitive business intelligence, user credentials).
- Arbitrary code execution (via plugin uploads, script injection).
- Lateral movement (pivoting to other internal systems).
- Persistence (backdoor installation, scheduled tasks).
Proof-of-Concept (PoC) Attack Scenario
POST /api/v1/engine/ HTTP/1.1
Host: vulnerable-qlik-sense.example.com
Content-Type: application/json
X-Qlik-User: UserDirectory=internal; UserId=admin
{
"method": "Execute",
"params": {
"qScript": "Set vPayload = '$(whoami)';"
}
}
- Impact: If the backend processes this request, it executes the command
whoamiwith admin privileges.
Real-World Exploitation Risks
- Ransomware Deployment: Attackers could encrypt Qlik Sense data or use it as a foothold for broader network encryption.
- Data Theft: Extraction of sensitive business analytics, customer data, or intellectual property.
- Supply Chain Attacks: Compromised Qlik Sense instances could be used to distribute malicious dashboards to downstream users.
3. Affected Systems & Software Versions
Vulnerable Versions
| Release Train | Affected Versions | Fixed Versions |
|---|---|---|
| August 2023 IR | All versions before August 2023 IR | August 2023 IR |
| May 2023 | ≤ May 2023 Patch 3 | May 2023 Patch 4 |
| February 2023 | ≤ February 2023 Patch 7 | February 2023 Patch 8 |
| November 2022 | ≤ November 2022 Patch 10 | November 2022 Patch 11 |
| August 2022 | ≤ August 2022 Patch 12 | August 2022 Patch 13 |
Scope of Impact
- Deployment Models: On-premises Qlik Sense Enterprise for Windows (cloud-hosted instances are not affected).
- Components at Risk:
- Qlik Sense Repository Service (QRS)
- Qlik Sense Proxy Service (QPS)
- Backend APIs (e.g.,
/api/v1/,/engine/)
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply Patches Immediately:
- Upgrade to the latest patched version (August 2023 IR, May 2023 Patch 4, etc.).
- Do not delay patching—exploitation is highly likely given the EPSS score.
-
Network-Level Protections:
- Restrict access to Qlik Sense instances via firewall rules (allow only trusted IPs).
- Disable unnecessary ports (e.g., default ports
4242,4243,443if not in use). - Implement WAF rules to block suspicious HTTP request patterns (e.g., unusual headers, excessive payloads).
-
Authentication & Authorization Hardening:
- Enforce MFA for all Qlik Sense users.
- Review and restrict user permissions (least privilege principle).
- Disable default accounts (e.g.,
admin,sa_repository).
-
Monitoring & Detection:
- Enable logging for all Qlik Sense API calls (monitor for unusual
POST/GETrequests). - Deploy EDR/XDR solutions to detect post-exploitation activity (e.g., unexpected process execution).
- Set up SIEM alerts for:
- Multiple failed authentication attempts.
- Unusual API calls (e.g.,
/api/v1/engine/with suspicious payloads).
- Enable logging for all Qlik Sense API calls (monitor for unusual
Long-Term Recommendations
- Conduct a Security Audit:
- Review Qlik Sense configurations for misconfigurations (e.g., overly permissive CORS settings).
- Perform penetration testing to identify residual vulnerabilities.
- Segmentation:
- Isolate Qlik Sense servers in a dedicated VLAN with strict access controls.
- Backup & Recovery:
- Ensure offline backups of Qlik Sense repositories to mitigate ransomware risks.
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Implications
- GDPR (General Data Protection Regulation):
- If exploited, this vulnerability could lead to unauthorized data access, triggering GDPR Article 33 (72-hour breach notification).
- Organizations may face fines up to 4% of global revenue if negligence is proven.
- NIS2 Directive (Network and Information Security):
- Critical infrastructure sectors (e.g., finance, healthcare) using Qlik Sense must report incidents under NIS2.
- DORA (Digital Operational Resilience Act):
- Financial institutions must assess and mitigate this risk as part of their ICT risk management framework.
Threat Landscape in Europe
- Targeted Sectors:
- Government & Public Sector (e.g., statistical agencies, tax authorities).
- Healthcare (e.g., hospitals using Qlik for patient data analytics).
- Financial Services (e.g., banks, insurance firms).
- Critical Infrastructure (e.g., energy, transportation).
- APT & Cybercriminal Activity:
- Russian APT groups (e.g., APT29, Sandworm) have historically targeted business intelligence tools.
- Ransomware gangs (e.g., LockBit, BlackCat) may exploit this for initial access.
ENISA & National CERT Recommendations
- ENISA Threat Landscape Report (2023):
- Highlights supply chain risks in business intelligence software.
- Recommends proactive patch management for critical vulnerabilities.
- National CERTs (e.g., CERT-EU, BSI, ANSSI):
- Likely to issue high-priority advisories for affected organizations.
- May conduct coordinated vulnerability disclosure (CVD) with Qlik.
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerability Type: HTTP Request Smuggling / Tunneling (CWE-444).
- Underlying Issue:
- Qlik Sense’s proxy service fails to properly validate raw HTTP request headers.
- Attackers can inject malicious payloads into legitimate-looking requests.
- The repository service processes these requests without re-authenticating, leading to privilege escalation.
Exploitation Technical Deep Dive
-
Request Forging:
- Attacker sends a malformed HTTP request with:
- Spoofed
X-Qlik-Userheader (e.g.,UserId=admin). - Embedded API calls (e.g.,
/api/v1/engine/with arbitrary commands).
- Spoofed
- Example:
POST /api/v1/engine/ HTTP/1.1 Host: target.example.com X-Qlik-User: UserDirectory=internal; UserId=admin Content-Type: application/json {"method":"Execute","params":{"qScript":"$(whoami)"}}
- Attacker sends a malformed HTTP request with:
-
Proxy Bypass:
- The Qlik Sense proxy forwards the request to the repository service without revalidating authentication.
- The repository service executes the command with admin privileges.
-
Post-Exploitation:
- Data Exfiltration: Attacker can query the repository for sensitive data (e.g.,
SELECT * FROM Users). - Arbitrary Code Execution: Upload malicious extensions or scripts.
- Lateral Movement: Use Qlik Sense as a pivot to other internal systems.
- Data Exfiltration: Attacker can query the repository for sensitive data (e.g.,
Detection & Forensics
- Log Analysis:
- Look for unusual
POSTrequests to/api/v1/engine/or/api/v1/repository/. - Check for
X-Qlik-Userheader manipulation (e.g.,UserId=adminin unauthenticated requests).
- Look for unusual
- Network Traffic Analysis:
- Monitor for unexpected outbound connections from Qlik Sense servers (C2 callbacks).
- Endpoint Detection:
- EDR alerts for
qlik.exespawning unexpected child processes (e.g.,cmd.exe,powershell.exe).
- EDR alerts for
YARA Rule for Detection
rule QlikSense_HTTP_Tunneling_Exploit {
meta:
description = "Detects CVE-2023-41265 HTTP Request Tunneling in Qlik Sense"
author = "Cybersecurity Analyst"
reference = "CVE-2023-41265"
severity = "Critical"
strings:
$header1 = "X-Qlik-User: UserDirectory=internal; UserId=admin" nocase
$header2 = "X-Qlik-User: UserDirectory=;" nocase
$api_call1 = "/api/v1/engine/" nocase
$api_call2 = "/api/v1/repository/" nocase
$payload1 = "\"method\":\"Execute\"" nocase
$payload2 = "\"qScript\":" nocase
condition:
(all of ($header*)) and (any of ($api_call*)) and (any of ($payload*))
}
Conclusion & Key Takeaways
- Criticality: 9.6 (CVSS) + 93% EPSS = Immediate patching required.
- Exploitation: Low complexity, high impact—attackers can gain full admin access.
- Mitigation: Patch now, restrict access, monitor for exploitation.
- European Impact: GDPR, NIS2, and DORA compliance risks—organizations must act swiftly.
Final Recommendation:
- Patch within 24-48 hours if Qlik Sense is exposed to the internet.
- Assume breach if unpatched and conduct a forensic investigation.
- Engage with national CERTs if exploitation is suspected.
For further details, refer to:
References
Affected Products
n/a
Version: n/a
Vendors
n/a