CVE-2023-41265
📋 TL;DR
CVE-2023-41265 is an HTTP request tunneling vulnerability in Qlik Sense Enterprise for Windows that allows remote attackers to bypass security controls and send requests directly to backend servers. This enables privilege escalation by executing unauthorized commands. Organizations running affected versions of Qlik Sense Enterprise for Windows are vulnerable.
💻 Affected Systems
- Qlik Sense Enterprise for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code with elevated privileges, potentially leading to data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Privilege escalation allowing attackers to access sensitive data, modify configurations, or disrupt business intelligence operations.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only allowing information disclosure or minor configuration changes.
🎯 Exploit Status
The vulnerability allows HTTP request tunneling which can be exploited with standard HTTP tools. CISA has added this to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, August 2022 Patch 13
Vendor Advisory: https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
Restart Required: Yes
Instructions:
1. Identify your current Qlik Sense version. 2. Download the appropriate patch from Qlik's official support portal. 3. Apply the patch following Qlik's installation documentation. 4. Restart all Qlik Sense services. 5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Qlik Sense servers to only trusted IP addresses and networks.
Use firewall rules to limit inbound connections to Qlik Sense ports (typically 443, 4244, 4248)
Web Application Firewall
allDeploy a WAF with rules to detect and block HTTP request tunneling attempts.
Configure WAF rules to inspect and validate HTTP request structures
🧯 If You Can't Patch
- Isolate Qlik Sense servers in a separate network segment with strict access controls
- Implement network monitoring and intrusion detection specifically for HTTP tunneling patterns
🔍 How to Verify
Check if Vulnerable:
Check Qlik Sense version via Qlik Management Console or by examining installed programs in Windows Control Panel. Compare against affected version ranges.Check Version:
In Qlik Management Console, navigate to About section or check Windows Programs and Features for Qlik Sense versionVerify Fix Applied:
Verify version number matches patched versions: August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, or August 2022 Patch 13.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns, unexpected backend server access, privilege escalation attempts in Qlik logs
Network Indicators:
- HTTP requests with tunneling patterns, unusual traffic to backend repository ports, unexpected outbound connections from Qlik servers
SIEM Query:
source="qlik*" AND (http_tunneling OR privilege_escalation OR unauthorized_backend_access)🔗 References
- https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
- https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes
- https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
- https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41265
