Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633)

Summary

Formula injection is possible in an Excel report generated by the Resilient platform, when a field name or value begins with specific characters.

Vulnerability Details

CVEID:CVE-2020-4633
**DESCRIPTION:**IBM Resilient could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

A spreadsheet, such as Excel, is susceptible to a formula injection if a cell begins with one of these characters:

• Equals to (“=”)
• Plus (“+”)
• Minus (“-“)
• At (“@”)

In most cases, Excel displays a warning when the files is opened, but users might ignore it since the report was generated from the platform.

As of Resilient platform V39, you can enable the reports.character_blocklist_enabled option. You can upgrade to this level of the platform by following instructions in the “Upgrade Procedure” section in the IBM Knowledge Center.

Once enabled, this parameter prevents the generation of the report if the data causes a cell to begin with one the characters, and it displays the following message:

Report Failed  

An error occurred while generating your report.

To enable this option, use the following command:

sudo resutil configset -key reports.character_blocklist_enabled -bvalue true

To disable this option, use the following command:

sudo resutil configset -key reports.character_blocklist_enabled -bvalue false

To check whether or not this option is enabled, use this command:

sudo resutil configget -key reports.character_blocklist_enabled

If the value 1 is returned, the option is enabled. If the value 0 is returned, the option is not enabled.

Workarounds and Mitigations

None