CISA adds Qlik bugs to exploited vulnerabilities catalog

Two vulnerabilities affecting a popular data analytics tool were added to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of exploited bugs this week.

On Thursday, CISA added CVE-2023-41265 and CVE-2023-41266 to its catalog, giving federal civilian agencies until December 28 to patch the issues.

Both bugs were found this summer in Qlik Sense — a data analytics tool used widely among government organizations and large businesses. The vulnerabilities provide hackers with an entry point into systems and allow them to elevate their privileges.

“If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software,” the company said in an advisory on December 5. “Qlik has received reports that this vulnerability may be being used by malicious actors.”

CVE-2023-41265 carries a vulnerability severity score of 9.6 and CVE-2023-41266 has a score of 8.2. The vulnerabilities were discovered in August by researchers at cybersecurity firm Praetorian. There are no mitigations and all versions of Qlik Sense Enterprise for Windows before May are vulnerable.

Both issues were used in a series of attacks by the Cactus ransomware gang since they were discovered, according to cybersecurity expert Kevin Beaumont and researchers at Arctic Wolf.

Viakoo Labs Vice President John Gallagher said Qlik Sense is widely used.

“Estimates are there are 40,000 users so as a method of deploying ransomware it’s a good one. Attacks would only be enabled if the threat actor had an internet-exposed instance of Qlik Sense to attach to,” he said.

“In that sense most high value targets (with effective security) would be safe assuming Qlik Sense was deployed properly. As with many high severity vulnerabilities it is a race against time in terms of deploying patches.”

Qlik warned customers that their tools “should not be exposed to the public internet” and that removing them “reduces the attack surface significantly.”

Researchers at Praetorian began to explore issues with Qlik Sense because of the “large number of instances on Shodan (around six thousand externally facing instances), and the high value nature of the software given its usage for data analytics,” they said.

“Because organizations use Qlik Sense for data analytics, we hypothesized that they most likely would provide the application with both database credentials and internal network access to corporate environments. This combination of factors made it a high value target for research purposes,” they said.

In several posts on the social media site Mastodon, Beaumont said searches on Shodan showed that many U.S-based organizations did have their instances exposed to the internet.

In addition to Cactus ransomware actors, several other ransomware gangs are exploiting the bugs, according to Beaumont.