DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration
| Our reference | DIVD-2021-00021 |
| Case lead | Diego Klinkhamer |
| Author | Hidde Smit |
| Researcher(s) | |
| CVE(s) | |
| Product | Qlik Sense Enterprise on Windows |
| Versions | < 14.44.0 |
| Recommendation | November 2021 patch fixes this vulnerability. |
| Status | Closed |
| Last modified | 02 Nov 2022 21:12 CET |
Summary
On 18 August 2021, DIVD discovered a timing attack vulnerability. This vulnerability can be abused for domain user enumeration. As of November 2021, this vulnerability has been solved by the vendor. CVE-2022-0564 has been assigned to this vulnerability. Affected systems are only vulnerable if they have LDAP configured.
What you can do
- Update Qlik Sense Enterprise to the latest version available.
- Disable internet-facing NTLM endpoints, e.g.
internal_windows_authentication, to avoid domain enumeration.
What we are doing
- We are scanning the internet for vulnerable Qlik Sense Enterprise servers, and will notify system owners via the listed abuse contacts.
Timeline
| Date | Description |
|---|---|
| 18 Aug 2021 | Vulnerability reported to vendor. |
| 20 Aug 2021 | Vulnerability confirmed by vendor. |
| 09 Nov 2021 | Vulnerability patched by vendor. |
| 10 Feb 2022 | DIVD notified about patch by vendor. |
| 01 Mar 2022 | DIVD sent out a first batch of notifications. |
| 01 Apr 2022 | Case closed. |
gantt
title DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration (226 days) :2021-08-18, 2022-04-01
section Events
Vulnerability reported to vendor. : milestone, 2021-08-18, 0d
Vulnerability confirmed by vendor. : milestone, 2021-08-20, 0d
Vulnerability patched by vendor. : milestone, 2021-11-09, 0d
DIVD notified about patch by vendor. : milestone, 2022-02-10, 0d
DIVD sent out a first batch of notifications. : milestone, 2022-03-01, 0d
Case closed. : milestone, 2022-04-01, 0d