DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration
|Case lead||Diego Klinkhamer|
|Product||Qlik Sense Enterprise on Windows|
|Recommendation||November 2021 patch fixes this vulnerability.|
|Last modified||02 Nov 2022 21:12|
On 18 August 2021, DIVD discovered a timing attack vulnerability. This vulnerability can be abused for domain user enumeration. As of November 2021, this vulnerability has been solved by the vendor. CVE-2022-0564 has been assigned to this vulnerability. Affected systems are only vulnerable if they have LDAP configured.
What you can do
- Update Qlik Sense Enterprise to the latest version available.
- Disable internet-facing NTLM endpoints, e.g.
internal_windows_authentication, to avoid domain enumeration.
What we are doing
- We are scanning the internet for vulnerable Qlik Sense Enterprise servers, and will notify system owners via the listed abuse contacts.
|18 Aug 2021||Vulnerability reported to vendor.|
|20 Aug 2021||Vulnerability confirmed by vendor.|
|09 Nov 2021||Vulnerability patched by vendor.|
|10 Feb 2022||DIVD notified about patch by vendor.|
|01 Mar 2022||DIVD sent out a first batch of notifications.|
|01 Apr 2022||Case closed.|
gantt title DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00021 - Qlik Sense Enterprise domain user enumeration (226 days) :2021-08-18, 2022-04-01 section Events Vulnerability reported to vendor. : milestone, 2021-08-18, 0d Vulnerability confirmed by vendor. : milestone, 2021-08-20, 0d Vulnerability patched by vendor. : milestone, 2021-11-09, 0d DIVD notified about patch by vendor. : milestone, 2022-02-10, 0d DIVD sent out a first batch of notifications. : milestone, 2022-03-01, 0d Case closed. : milestone, 2022-04-01, 0d