DIVD-2024-00014 - Qlik Sense Remote Code Execution

Our reference DIVD-2024-00014
Case lead Ralph Horn
Researcher(s)
CVE(s)
Products
  • Qlik Sense
Versions
  • All versions prior to and including
  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16
Recommendation Upgrade to a Qlik Sense version where the issue is fixed. The issue is fixed in the following versions: August 2023 Patch 1, May 2023 Patch 5, February 2023 Patch 9,November 2022 Patch 11,August 2022 Patch 13, May 2022 Patch 15, February 2022 Patch 14, November 2021 Patch 16
Patch status Released
Status Closed
Last modified 07 Aug 2024 13:54 CEST

Summary

A set of remote code execution vulnerabilities was reported for Qlik Sense in 2023. DIVD is rescanning previously known vulnerable instances in an effort to increase patch rates. Not patching the device might result in a compromised Qlik Sense, which in turn could result in attacks such as leaked data or ransomware, as described in a blog by Arctic Wolf and a press release by project Melissa.

DIVD is running this case in collaboration with Project Melissa in which various Dutch cyber security companies collaborate to make The Netherlands less attractive for ransomware gangs. From combined research between Fox-IT, Northwave, Responders BV and ESET Netherlands it has been identified that vulnerable Qlik Sense instances are used to compromise corporate environments and install ransomware.

Fox-IT scanned for vulnerable instances and together with the Dutch NCSC, and DTC we sent out notifications to these (potential) victims either directly or via country certs.

Recommendations

Qlik recommends to upgrade to at least a version where the issue is fixed:

What we are doing

DIVD is currently identifying vulnerable instances and notifying the owners of these systems.

Timeline

Date Description
29 Aug 2023 Qlik advisory released regarding to two vulnerabilities which result in a remote code execution vulnerability when combined.
20 Sep 2023 Second Qlik advisory updated for CVE-2023-48365 which serves as a bypass for the previous two CVE’s
19 Apr 2024 DIVD starts notifying previously fingerprinted vulnerabilities.
25 Apr 2024 Public announcement by Project Melissa
gantt title DIVD-2024-00014 - Qlik Sense Remote Code Execution dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00014 - Qlik Sense Remote Code Execution (75 days) :2024-04-19, 2024-07-03 section Events Qlik advisory released regarding to two vulnerabilities which result in a remote code execution vulnerability when combined. : milestone, 2023-08-29, 0d Second Qlik advisory updated for CVE-2023-48365 which serves as a bypass for the previous two CVE’s : milestone, 2023-09-20, 0d DIVD starts notifying previously fingerprinted vulnerabilities. : milestone, 2024-04-19, 0d Public announcement by Project Melissa : milestone, 2024-04-25, 0d

More information