This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security Advisory Articles

Formula injection into CSV files vulnerability in RSA Archer 6.1.x and higher

Article Number

000036742

Applies To

RSA Product Set: RSA Archer
RSA Version/Condition: 6.1.x and later

Article Summary

RSA Archer team occasionally receives reports - from customers performing penetration tests - on injection vulnerability detection when the RSA Archer application allows formula characters to be stored in the system and later exported directly to a comma-separated values (CSV) file. When the CSV is opened in a spreadsheet application, like Microsoft Excel or LibreOffice Calc, the formula is executed, which can cause arbitrary program execution on the user’s system and exfiltrate file contents, system information, etc.

CSV is an interchange format defined in RFC 4180 from the Internet Engineering Task Force (IETF). This format is typically used for exchanging data between two applications. The vulnerability report provides an attack scenario where, under certain circumstances, the exported formulas could be executed by a spreadsheet application opening the CSV file. The spreadsheet applications warn users about potential command execution when they open the CSV file (e.g. “Do not enable this content unless you trust the source of the file” is a warning Microsoft Excel shows to users), but users may trust the source of the file as it has come from an internal application.

Resolution

RSA Archer team has assessed this vulnerability report and determined it is not a vulnerability in our product, but rather a side effect of the CSV format. We believe that this issue should be mitigated by the application which would be interpreting the user-exported CSV file rather than by the application creating it. The penetration reports are often accompanied by resolutions suggesting the escape or removal of the formula trigger characters. These suggestions, however, modify data in RSA Archer which can result in hard-to-debug issues like duplicate records or reports of version/audit updates when such CSVs are later imported. At this time, our analysis has concluded the negative side effects of a change to RSA Archer for this issue does not benefit the majority of our customers. RSA Archer will update this article if any new information is available in the future. RSA Archer customers are recommended to follow security best practices documented here: https://community.rsa.com/docs/DOC-94422
 
0 Likes
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎2020-12-12 07:47 PM
Updated by:
Administrator Administrator

Related Content

Article Dashboard
© 2023 RSA Security LLC or its affiliates. All rights reserved.