Report DIVD-2021-00021 - Qlik Sense Enterprise Domain User Enumeration

Report DIVD-2021-00021 - Qlik Sense Enterprise Domain User Enumeration

Written on 25 May 2022 by Gerard Janssen

Case lead: Diego Klinkhamer
Researchers: Hidde Smit
Case file: DIVD-2021-00021

On 18 August 2021, DIVD discovered a timing attack vulnerability in Qlik Sense.

Software company Qlik was founded in 1993 in Lund, Sweden, and now based in King of Prussia, Pennsylvania, United States. Qlik Sense is part of the Qlik Active Intelligence Platform, which provides business intelligence and data integration for organizations of all sizes. Qlik Sense uses AI to help users understand and use data.

DIVD found that – if Qlik Sense was configured with a Lightweight Directory Access Protocol (LDAP) – it was vulnerable to a timing attack (CVE-2022-0564). By timing the response after entering a username it could be determined if a username was valid, which is often referred to as ‘domain user enumeration’. An attacker can exploit this vulnerability by using lists of common usernames, known names, and dictionary words to find valid usernames.

Once an attacker has a list of valid usernames, he can target those users for common passwords, or search for the usernames in compromised databases.

DIVD found 97 vulnerable Qlik Sense servers out of 6626 Qlik Sense servers facing the internet and notified the owners.

As of November 2021, this vulnerability has been solved by the vendor.

Timeline

Date Description
18-08-2021 DIVD reports vulnerability to vendor.
20-08-2021 Vulnerability confirmed by vendor.
09-11-2021 Vulnerability patched by vendor.
10-02-2022 DIVD notified about patch by vendor.
01-03-2022 DIVD sent out a first batch of notifications.