Problem

Cisco IOS XE WebUI - (WebUI) - Web User Interface

The Cisco Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems.   The system is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system.

The Cisco IOS XE does not use the IOS as the operating system, instead it uses a Linux operating system where IOS runs as a separate process (daemon) on Linux.  All system functions run as separate processes which has a number of advantages, namely multiprocessing, which means that the workload of processes can be shared across multiple CPUs.  When a single process crashes, it no longer takes down the entire OS.

A Web user interface allows a user to interact with content or software running on a remote server or router through a Web browser.  The content or Web page is downloaded from the Web server and the user can interact with this content in a Web browser, which acts as a client.   The Cisco IOS XE Web User Interface (WebUI) is used to configured a router after it has been installed,  to enable traffic to pass through the network, it is also provides network administrators with a single solution for provisioning, monitoring, and optimising devices.

On the 16th Oct 2023, Cisco Systems, Inc. publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20198, this is privilege escalation vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software affecting both physical and virtual devices that have the HTTP or HTTPS Server feature enabled.  Exploitation of this vulnerability would allow a threat actor to obtain initial access and create a privileged account, which is then used to create a local user account with normal privileges.  No software patches or updates were released on the date of disclosure due to ongoing investigation into observed exploitation of the Web User Interface (WebUI) feature in Cisco IOS XE Software in the wild.  Cisco System,  Inc have since released a number of fixed software releases.

On the 25th Oct 2023, Cisco Systems, Inc.  publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20273, this is a command injection vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software.  An attacker who had obtained access and created a local user account with normal privileges through the exploitation of CVE-2023-20198, could then inject or run arbitrary commands with elevated (root) privileges, in the underlying operating system.

Qlik Sense

Qlik Sense is a data analysis and visualisation software.  It operates with an associative QIX engine which enables the user to link and associate data from varied sources and carries out dynamic searching and selections.  Qlik Sense serves as a data analytics platform for a wide range of users i.e.  from non-technical to technical users.  Qlik Sense utilises data visualization as it has augmented graphics making it possible to show and analyse data graphicaly.

HTTP listens on port 80/TCP.

HTTPS listens on port 443/TCP.

In August 2023, Two (2) security vulnerabilities in Qlik Sense Enterprise for Windows were identified by Adam Crosser and Thomas Hendrickson of the Cybersecurity Company, Praetorian, based in Austin, Texas, USA.  These vulnerabilities involved HTTP Tunneling and Path Traversal, It was also discovered if the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).

On the 29th Aug 2023, the Qlik Software Company publicly disclosed CVE-2023-41265 & CVE-2023-41266 that affect Qlik Sense Enterprise for Windows.

On the 20th Sep 2023, The Qlik Software Company publicly disclosed CVE-2023-48365 that affect Qlik Sense Enterprise for Windows.

On the 25th April 2024, Willem Zeeman and Yun Zheng Hu of Fox-IT., part of the information assurance firm, NCC Group, based in Manchester, UK.,  in collaboration with a number of Dutch cyber security firms that had being researching the Cactus Ransomware Group, reported the group modus operandi of exploiting Qlik Sense systems for initial access which they have been actively targeting since November 2023.

Fox-IT together with their colleagues from the various Dutch cyber security firms discovered that the Cactus Ransomware Group use a particular method and technique for initial access to the Qlik Sense systems.  Based upon these discoveries,  Fox-IT., developed a fingerprinting technique to identify Qlik Sense systems that are vulnerable to this method and technique of initial access, and even more critically, which systems are already compromised.

Arctic Wolf Networks, the computer and network security company, based in Eden Prairie, Minnesota, USA., on the 28th Nov 2024 published a list of Indicators of Compromise (IoCs), they had observed, in their incident response (IR) investigation into the new Cactus Ransomware Group campaign which are reported to exploit publicly exposed installations of Qlik Sense.

Constituents are advised to take appropriate action in the event of having a host running the Qlik Sense System, identified in the 'CVEs - Compromised Website Report'.

Cactus Ransomware Group - Indicators of Compromise (IoCs).