OverviewOn August 29th, 2023 Qlik issued a patch for two vulnerabilities we identified in Qlik Sense Enterprise, CVE-2023-41265 and CVE-2023-41266. These vulnerabilities allowed for unauthenticated remote code execution via path traversal and HTTP request tunneling. As part of our standard operating procedure, we performed a diff of the issued patch to identify potential bypasses for the fix for these vulnerabilities. Unfortunately, in this case, we identified a bypass for the original fix for CVE-2023-41265 which allowed for unauthenticated remote code execution even after applying the patch for CVE-2023-41265 and CVE-2023-41266.Qlik has issued a second patch to address this workaround. The new patch implements a more robust filtering mechanism that is less prone to CL.TE and TE.CL request tunneling attacks. A new CVE, CVE-2023-Pending, will be created to track this vulnerability.ImpactExploitation of this issue allows for an unauthenticated attacker to achieve remote code execution and obtain full administrative privileges within impacted Qlik Sense Enterprise. Once fully understood, these vulnerabilities are easy to exploit reliably and predictably.When will Praetorian publish technical details?Although we have a fully working exploit for CVE-2023-Pending, we believe it best serves the community to delay publication of full technical details until impacted organizations have had the opportunity to patch the affected servers. After an appropriate amount of time, we will publish the full technical details of the issue and why the original fix for CVE-2023-41265 was insufficient.How do I know if my organization is at risk?Praetorian is proactively reaching out to impacted organizations with public vulnerability disclosure and/or bug bounty programs. We also are contacting current and former Praetorian customers where we have determined these organizations are running instances of the application through internet-wide scanning data. That said, users can refer to Qlik’s announcement to see which versions are vulnerable. If your organization is running a vulnerable version, you should remove those assets from the Internet until you can patch them. Unfortunately, every application that you choose to expose to the Internet comes with some degree of risk as vulnerabilities within those applications could provide an attacker with a foothold into your network. Understanding your attack surface better and taking proactive steps to reduce exposures and better assess the impact of new vulnerabilities is a critical step of this process. If you’d like to know how the Chariot offensive security platform can help you stay one step ahead of attackers, please don’t hesitate to contact us for a demo. Labsin CVE