CVE-2023-48365
📋 TL;DR
CVE-2023-48365 is an unauthenticated remote code execution vulnerability in Qlik Sense Enterprise for Windows. Attackers can exploit improper HTTP header validation to tunnel requests and execute arbitrary code on backend repository servers. Organizations running affected Qlik Sense versions without patches are vulnerable.
💻 Affected Systems
- Qlik Sense Enterprise for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and maintain persistent access.
Likely Case
Initial access leading to data exfiltration, ransomware deployment, or use as a foothold for lateral movement within the network.
If Mitigated
Attack blocked at network perimeter or detected before significant damage occurs.
🎯 Exploit Status
CISA has added this to Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: August 2023 Patch 2 or later security patches listed in affected versions
Vendor Advisory: https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510
Restart Required: Yes
Instructions:
1. Download appropriate patch from Qlik Support Portal. 2. Backup Qlik Sense environment. 3. Apply patch following Qlik's installation guide. 4. Restart Qlik Sense services. 5. Verify patch installation.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Qlik Sense servers to only trusted IP addresses and required users
Use firewall rules to limit inbound connections to Qlik Sense ports (typically 443, 4242, 4244)
Web Application Firewall
allDeploy WAF with rules to detect and block HTTP header manipulation attacks
Configure WAF rules to inspect and validate HTTP headers for anomalies
🧯 If You Can't Patch
- Isolate Qlik Sense servers in separate network segment with strict access controls
- Implement intrusion detection/prevention systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check Qlik Sense version via Qlik Management Console (QMC) or registry: HKEY_LOCAL_MACHINE\SOFTWARE\QlikTech\Sense\VersionCheck Version:
reg query "HKLM\SOFTWARE\QlikTech\Sense" /v VersionVerify Fix Applied:
Verify installed version matches or exceeds patched versions listed in affected systems📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests with manipulated headers to repository service
- Unexpected process creation from Qlik Sense services
- Authentication bypass attempts
Network Indicators:
- HTTP requests with abnormal header patterns to Qlik Sense ports
- Unusual outbound connections from Qlik Sense servers
SIEM Query:
source="qlik-sense-logs" AND (http_header_manipulation OR authentication_bypass OR "repository service" AND suspicious_request)🔗 References
- https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510
- https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48365
