Formula injection into CSV files vulnerability in RSA Archer 6.1.x and higher
RSA Product Set: RSA Archer RSA Version/Condition: 6.1.x and later
RSA Archer team occasionally receives reports - from customers performing penetration tests - on injection vulnerability detection when the RSA Archer application allows formula characters to be stored in the system and later exported directly to a comma-separated values (CSV) file. When the CSV is opened in a spreadsheet application, like Microsoft Excel or LibreOffice Calc, the formula is executed, which can cause arbitrary program execution on the user’s system and exfiltrate file contents, system information, etc.
CSV is an interchange format defined in RFC 4180 from the Internet Engineering Task Force (IETF). This format is typically used for exchanging data between two applications. The vulnerability report provides an attack scenario where, under certain circumstances, the exported formulas could be executed by a spreadsheet application opening the CSV file. The spreadsheet applications warn users about potential command execution when they open the CSV file (e.g. “Do not enable this content unless you trust the source of the file” is a warning Microsoft Excel shows to users), but users may trust the source of the file as it has come from an internal application.
RSA Archer team has assessed this vulnerability report and determined it is not a vulnerability in our product, but rather a side effect of the CSV format. We believe that this issue should be mitigated by the application which would be interpreting the user-exported CSV file rather than by the application creating it. The penetration reports are often accompanied by resolutions suggesting the escape or removal of the formula trigger characters. These suggestions, however, modify data in RSA Archer which can result in hard-to-debug issues like duplicate records or reports of version/audit updates when such CSVs are later imported. At this time, our analysis has concluded the negative side effects of a change to RSA Archer for this issue does not benefit the majority of our customers. RSA Archer will update this article if any new information is available in the future. RSA Archer customers are recommended to follow security best practices documented here: https://community.rsa.com/docs/DOC-94422
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.