{"id":18592,"date":"2022-07-04T23:35:16","date_gmt":"2022-07-04T21:35:16","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2021-0031\/"},"modified":"2022-07-08T15:06:38","modified_gmt":"2022-07-08T13:06:38","slug":"usd-2021-0031","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0031\/","title":{"rendered":"usd-2021-0031"},"content":{"rendered":"\n\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.17.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0031 (CVE-2022-22689) | CA Harvest Software Change Manager<\/h1>\n

Advisory ID<\/strong>: usd-2021-0031
CVE ID<\/strong>: CVE-2022-22689
CVE URL: <\/a><\/strong>https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-22689\u00a0<\/a>
Affected Product<\/strong>: CA Harvest Software Change Manager
Affected Versions<\/strong>: v13.0.3,<\/span> v13.0.4,<\/span> v14.0.0, <\/span>v14.0.1, see vendor advisory<\/a><\/span>
Vulnerability Type<\/strong>: CWE-1236<\/a>: Improper Neutralization of Formula Elements in a CSV File<\/span>
Security Risk<\/strong>: High
Vendor URL<\/strong>: https:\/\/www.broadcom.com\/products\/software\/business-management\/ca-service-management\/harvest-software-change-manager\u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

The client allows to export peer review lists. There is no filtering, so that an Office formula can be used as a name for a package. This formula can then be exported to a CSV file and will be evaluated once the CSV file is opened in a spreadsheet program. This vulnerability can only be exploited by users with higher privileges.<\/p>\n

A CSV injection occurs if data containing office formulas is exported unfiltered to CSV files. If the exported files are opened in a spreadsheet program, such as Microsoft Excel, these formulas is evaluated on the users computer.<\/p>\n

The Harvest Software Change Manage<\/em>r allows users with higher privileges to create packages. As package names office formulas can be used. This package then must be sent to review using the functionality in the context menu \"Request for Peer Review\".
Another user is able to export a PendingReviewsList<\/strong> where this package name is contained if sent to peer review. If this exported CSV file is then opened in a spreadsheet program the formulas are evaluated.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

1. Create a package with the following name: =cmd | '\/C calc.exe' !z<\/strong>
2. Send this package to peer review using context menu \"Request for Peer Review<\/em>\".
3. Visit the PendingReviewsList<\/strong>.
4. Right click on any item and use the option \"Save List As...<\/em>\":<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/csv_injection_1.png\" title_text=\"csv_injection_1\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

5. Select CSV and export the file:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/csv_injection_2.png\" title_text=\"csv_injection_2\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

6. Open the file and accept the security risk warnings (two are shown in MS Excel):<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/csv_injection_3.png\" title_text=\"csv_injection_3\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/csv_injection_4.png\" title_text=\"csv_injection_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

6. Calc.exe is executed:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/csv_injection_5.png\" title_text=\"csv_injection_5\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

It is recommended to restrict the set of allowed characters as much as possible for all user input. This can, for example, be realized with a whitelist. Additionally, every cell that starts with an equal- (=), a plus- (+), a minus- (-) or an at-sign (@), or contains a comma (,) or a semicolon (;) should be prepended with a single quote and embedded in double quotes (\") when generating spreadsheets, such as .csv, .xls or .xlsx files, automatically (https:\/\/owasp.org\/www-community\/attacks\/CSV_Injection<\/a>). Furthermore, every double quote occurring within the content of a cell should be preceded by another double quote to avoid an early termination of the quoted string. In order to achieve this, a suitable library can be used.<\/p>\n

<\/h3>\n

References<\/h3>\n