CISA adds Qlik bugs to catalog of exploited vulnerabilities

Two vulnerabilities affecting a popular data analysis tool were added this week to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of exploited bugs.

Thursday, CISA added CVE-2023-41265 and CVE-2023-41266 to its catalog, giving federal civilian agencies until December 28 to fix the issues.

Both bugs were found this summer in Qlik Sense, a data analysis tool widely used by government organizations and large businesses. Vulnerabilities provide hackers with an entry point into systems and allow them to escalate their privileges.

“If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software,” the company explains. said in a notice dated December 5. “Qlik has received reports that this vulnerability could be used by malicious actors. »

CVE-2023-41265 has a vulnerability severity score of 9.6 and CVE-2023-41266 has a score of 8.2. Vulnerabilities were discovered in August by researchers from the cybersecurity company Praetorian. There are no mitigations and all versions of Qlik Sense Enterprise for Windows prior to May are vulnerable.

Both issues have been used in a series of attacks by the Cactus ransomware gang since their discovery, according to cybersecurity expert Kevin Beaumont. and researchers from Arctic Wolf.

John Gallagher, vice president of Viakoo Labs, said Qlik Sense is widely used.

“There are an estimated 40,000 users, so this is a good method of deploying ransomware. Attacks would only be possible if the threat actor had an instance of Qlik Sense exposed on the internet to attach to,” he said.

“In this sense, most high-value targets (with effective security) would be safe provided Qlik Sense is deployed correctly. As with many high-severity vulnerabilities, it’s a race against time in terms of patch deployment.

Qlik warned its customers that their tools “should not be exposed to the public Internet” and that removing them “significantly reduces the attack surface.”

Praetorian researchers began exploring issues with Qlik Sense due to “the large number of instances on Shodan (around six thousand external instances) and the high-value nature of the software given its use for analytics data,” they said.

“Since organizations use Qlik Sense for data analysis, we hypothesized that they would most likely provide the application with both database credentials and access to the internal network in corporate environments. This combination of factors made it a high-value target for research purposes,” they said.

In several articles on the social network Mastodon, Beaumont said Research on Shodan showed that many US-based organizations were having their instances exposed on the internet.

In addition to the Cactus ransomware actors, several other ransomware gangs are exploiting the bugs, according to Beaumont.

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.