Formula injection into CSV files vulnerability in RSA Archer 6.1.x and higher
RSA Product Set: RSA Archer RSA Version/Condition: 6.1.x and later
RSA Archer team occasionally receives reports - from customers performing penetration tests - on injection vulnerability detection when the RSA Archer application allows formula characters to be stored in the system and later exported directly to a comma-separated values (CSV) file. When the CSV is opened in a spreadsheet application, like Microsoft Excel or LibreOffice Calc, the formula is executed, which can cause arbitrary program execution on the user’s system and exfiltrate file contents, system information, etc.
CSV is an interchange format defined in RFC 4180 from the Internet Engineering Task Force (IETF). This format is typically used for exchanging data between two applications. The vulnerability report provides an attack scenario where, under certain circumstances, the exported formulas could be executed by a spreadsheet application opening the CSV file. The spreadsheet applications warn users about potential command execution when they open the CSV file (e.g. “Do not enable this content unless you trust the source of the file” is a warning Microsoft Excel shows to users), but users may trust the source of the file as it has come from an internal application.
RSA Archer team has assessed this vulnerability report and determined it is not a vulnerability in our product, but rather a side effect of the CSV format. We believe that this issue should be mitigated by the application which would be interpreting the user-exported CSV file rather than by the application creating it. The penetration reports are often accompanied by resolutions suggesting the escape or removal of the formula trigger characters. These suggestions, however, modify data in RSA Archer which can result in hard-to-debug issues like duplicate records or reports of version/audit updates when such CSVs are later imported. At this time, our analysis has concluded the negative side effects of a change to RSA Archer for this issue does not benefit the majority of our customers. RSA Archer will update this article if any new information is available in the future. RSA Archer customers are recommended to follow security best practices documented here: https://community.rsa.com/docs/DOC-94422