Report DIVD-2021-00021 - Qlik Sense Enterprise Domain User EnumerationWritten on 25 May 2022 by Gerard Janssen
Researchers: Hidde Smit
Case file: DIVD-2021-00021
On 18 August 2021, DIVD discovered a timing attack vulnerability in Qlik Sense.
Software company Qlik was founded in 1993 in Lund, Sweden, and now based in King of Prussia, Pennsylvania, United States. Qlik Sense is part of the Qlik Active Intelligence Platform, which provides business intelligence and data integration for organizations of all sizes. Qlik Sense uses AI to help users understand and use data.
DIVD found that – if Qlik Sense was configured with a Lightweight Directory Access Protocol (LDAP) – it was vulnerable to a timing attack (CVE-2022-0564). By timing the response after entering a username it could be determined if a username was valid, which is often referred to as ‘domain user enumeration’. An attacker can exploit this vulnerability by using lists of common usernames, known names, and dictionary words to find valid usernames.
Once an attacker has a list of valid usernames, he can target those users for common passwords, or search for the usernames in compromised databases.
DIVD found 97 vulnerable Qlik Sense servers out of 6626 Qlik Sense servers facing the internet and notified the owners.
As of November 2021, this vulnerability has been solved by the vendor.
|18-08-2021||DIVD reports vulnerability to vendor.|
|20-08-2021||Vulnerability confirmed by vendor.|
|09-11-2021||Vulnerability patched by vendor.|
|10-02-2022||DIVD notified about patch by vendor.|
|01-03-2022||DIVD sent out a first batch of notifications.|