Lucene search

K
ibmIBM4CDCC5E7FA8EA0DD422C3D712294173E45FD6F9216890011A324411C85C57507
HistoryJul 19, 2022 - 9:38 p.m.

Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633)

2022-07-1921:38:16
www.ibm.com
6
ibm resilient
formula injection
excel
cve-2020-4633
security bulletin
input validation
character blocklist
remote code execution
vulnerability

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.004

Percentile

72.9%

Summary

Formula injection is possible in an Excel report generated by the Resilient platform, when a field name or value begins with specific characters.

Vulnerability Details

**CVEID:**CVE-2020-4633 DESCRIPTION: IBM Resilient could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Resilient OnPrem IBM Security SOAR

Remediation/Fixes

A spreadsheet, such as Excel, is susceptible to a formula injection if a cell begins with one of these characters:

  • Equals to (“=”)
  • Plus (“+”)
  • Minus (“-“)
  • At (“@”)

In most cases, Excel displays a warning when the files is opened, but users might ignore it since the report was generated from the platform.

As of Resilient platform V39, you can enable the reports.character_blocklist_enabled option. You can upgrade to this level of the platform by following instructions in the “Upgrade Procedure” section in the IBM Knowledge Center.

Once enabled, this parameter prevents the generation of the report if the data causes a cell to begin with one the characters, and it displays the following message:

Report Failed  

An error occurred while generating your report.

To enable this option, use the following command:

sudo resutil configset -key reports.character_blocklist_enabled -bvalue true

To disable this option, use the following command:

sudo resutil configset -key reports.character_blocklist_enabled -bvalue false

To check whether or not this option is enabled, use this command:

sudo resutil configget -key reports.character_blocklist_enabled

If the value 1 is returned, the option is enabled. If the value 0 is returned, the option is not enabled.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmresilientMatch38.0
VendorProductVersionCPE
ibmresilient38.0cpe:2.3:a:ibm:resilient:38.0:*:*:*:*:*:*:*

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.004

Percentile

72.9%

Related for 4CDCC5E7FA8EA0DD422C3D712294173E45FD6F9216890011A324411C85C57507