IBM Support

Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633)

Security Bulletin


Summary

Formula injection is possible in an Excel report generated by the Resilient platform, when a field name or value begins with specific characters.

Vulnerability Details

CVEID:   CVE-2020-4633
DESCRIPTION:   IBM Resilient could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L)

Affected Products and Versions

Affected Product(s)Version(s)
Resilient OnPremIBM Security SOAR

Remediation/Fixes

A spreadsheet, such as Excel, is susceptible to a formula injection if a cell begins with one of these characters:

  • Equals to (“=”)
  • Plus (“+”)
  • Minus (“-“)
  • At (“@”)

In most cases, Excel displays a warning when the files is opened, but users might ignore it since the report was generated from the platform.

As of Resilient platform V39, you can enable the reports.character_blocklist_enabled option. You can upgrade to this level of the platform by following instructions in the "Upgrade Procedure" section in the IBM Knowledge Center.

Once enabled, this parameter prevents the generation of the report if the data causes a cell to begin with one the characters, and it displays the following message:


Report Failed

An error occurred while generating your report.

To enable this option, use the following command:

sudo resutil configset -key reports.character_blocklist_enabled -bvalue true

To disable this option, use the following command:

sudo resutil configset -key reports.character_blocklist_enabled -bvalue false

To check whether or not this option is enabled, use this command:

sudo resutil configget -key reports.character_blocklist_enabled

If the value 1 is returned, the option is enabled. If the value 0 is returned, the option is not enabled.

 

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Kamil Sarbinowski, Vince Dragnea, Troy Fisher and Elaheh Samani from IBM X-Force Ethical Hacking Team.

Change History

23 Nov 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSDVCX","label":"IBM Resilient"},"Component":"","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"IBM Resilient SOAR V38.0","Edition":""}]

Document Information

Modified date:
19 July 2022

UID

ibm16380884

Page Feedback