Description
A flaw was found in Orchestration Template of ManageIQ where a low privilege user could enter crafted CSV formulae. Successful exploitation will allow an attacker to execute arbitrary code with the privilege of currently logged in user of the system causing serious damage to the victim’s system.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-10780
Details
It is common for users to open CSV payloads in spreadsheet applications, such as Microsoft Excel and Google Sheets. When imported, cells with formulas are honored, and that includes dangerous formulas that can access the filesystem and make remote HTTP calls. Google has taken the stance that they will not prevent this[ref]. Microsoft Excel and LibreOffice pop up warnings, but users ignore those, thus still leaving them potentially vulnerable.
The exploit consists of an unprivileged user entering a spreadsheet formula, such as =HYPERLINK("http://badguy.example.com","Link Injection1") into a field, such as the description of a new Orchestration Template. Another user can export that to a CSV file, download it locally, and open it in a spreadsheet application. Since the spreadsheet application will honor the formula, it will be executed by the user. In this example, we've simply linked to badguy.example.com, but one can do a number of malicious exploits with this, including running arbitrary executables on the user's system.
To remediate this, we've modified CSV exports across the application to detect possible formulas and escape them.
Fixed in ivanchuk-7, jansa-1-rc2, master
Description
A flaw was found in Orchestration Template of ManageIQ where a low privilege user could enter crafted CSV formulae. Successful exploitation will allow an attacker to execute arbitrary code with the privilege of currently logged in user of the system causing serious damage to the victim’s system.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-10780
Details
It is common for users to open CSV payloads in spreadsheet applications, such as Microsoft Excel and Google Sheets. When imported, cells with formulas are honored, and that includes dangerous formulas that can access the filesystem and make remote HTTP calls. Google has taken the stance that they will not prevent this[ref]. Microsoft Excel and LibreOffice pop up warnings, but users ignore those, thus still leaving them potentially vulnerable.
The exploit consists of an unprivileged user entering a spreadsheet formula, such as
=HYPERLINK("http://badguy.example.com","Link Injection1")into a field, such as the description of a new Orchestration Template. Another user can export that to a CSV file, download it locally, and open it in a spreadsheet application. Since the spreadsheet application will honor the formula, it will be executed by the user. In this example, we've simply linked to badguy.example.com, but one can do a number of malicious exploits with this, including running arbitrary executables on the user's system.To remediate this, we've modified CSV exports across the application to detect possible formulas and escape them.
Fixed in ivanchuk-7, jansa-1-rc2, master