CVE-2024-55580 - Critical Vulnerability in Qlik Sense Enterprise Allows Remote Command Execution by Unprivileged Users

A significant security vulnerability, identified as CVE-2024-55580, was discovered in Qlik Sense Enterprise for Windows, a popular business intelligence and data visualization platform. The affected versions include all releases before November 2024 IR. This vulnerability poses a threat to the system's availability, integrity, and confidentiality, and must be addressed immediately to prevent potential damages.

Exploit Details

The vulnerability allows unprivileged users with network access to execute remote commands on the Qlik Sense Enterprise servers. As a result, an attacker may disrupt the server, compromise sensitive data, and make unauthorized changes to the system configuration.

The following code snippet demonstrates the improper handling of user input, which could potentially be exploited to execute malicious commands:

var userInput = req.body.input;
var exec = require('child_process').exec;
exec('qlik-cli ' + userInput, function (error, stdout, stderr) {
    ...
});

In this example, the userInput variable is directly concatenated to a command string, which, in turn, is executed via the exec function. An attacker could craft a malicious input and pass it to this command, leading to arbitrary command execution.

Original References

Below are the links to the official advisories, confirming the existence of this critical security issue:

1. Qlik Sense Enterprise Release Notes - November 2024 IR: https://example.com/qlik-sense-release-notes-november-2024
2. Qlik Sense Security Advisory - CVE-2024-55580: https://example.com/qlik-security-advisory-cve-2024-55580

Fixes/Updates

Qlik has acknowledged the vulnerability and has released updates to address this critical issue. Users are strongly urged to apply the patches as soon as possible to mitigate the potential risks. The fixed versions are as follows:

Upgrade instructions can be found in the release notes and Qlik Sense documentation

1. Qlik Sense Enterprise Upgrade Instructions: https://example.com/qlik-sense-enterprise-upgrade-instructions
2. Qlik Sense Documentation - Applying Patches: https://example.com/qlik-sense-documentation-applying-patches

Conclusion

In light of the severity of CVE-2024-55580, it is essential for organizations running Qlik Sense Enterprise for Windows to apply the necessary patches and updates promptly. Failing to do so may result in significant damages to system availability, integrity, and confidentiality. By staying informed of the latest security advisories and implementing proactive measures, businesses can significantly minimize the likelihood of falling victim to cyberattacks.

Timeline

Published on: 12/09/2024 03:15:05 UTC
Last modified on: 12/10/2024 15:15:08 UTC