Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Spreadsheet Formula Injection in FPM List UIBB ATS/FPM Tree UIBB/WD ALV, SAP security note 2272676

Description

UPDATE 26th October 2018: This note has been re-released with updated ‘Solution’ Information.

UPDATE 1st October 2018 : This note has been re-released with updated ‘Correction Instructions’ and ‘ Support Packages & Patches’ . Additionally CVSS information is also made available.

Comma Separated Values (CSC) format

When exporting the data displayed in an FPM List UIBB ATS or FPM Tree UIBB component by means of the standard function Export To Spreadsheet in the Comma Separated Values (CSV) format, the data might have been prepared accordingly before by an attacker, in order to embed formulas that invoke executable code on the client machine, on which the result file is opened. If for example the result file is opened by means of Microsoft Excel, the following warning is displayed:

Microsoft Office has identified a potential security concern. Automatic update of links has been disabled. If you choose to enable automatic update of links, your computer may no longer be secure. Do not enable this content unless you trust the source of this file.

[Enable]    [Disable]”

If an end-user then chooses the [Enable] option, the embedded contents in shape of potentially malicious formulas, are automatically executed.

Mitigation
The mentioned warning is always displayed upon opening a CSV file in Microsoft Excel, hence in case an end-user then chooses the [Disable] option, the file can nonentheless be opened, the embedded, potentially malicious formulas, are however then not automatically executed.

 

Office Open XML (Microsoft Excel) format
When exporting the data displayed in an FPM List UIBB ATS, FPM Tree UIBB or WD ABAP ALV component by means of the standard function Export To Spreadsheet in the Office Open XML (Microsoft Excel) format (Export to Microsoft Excel in the WD ABAP ALV end-user terminology), the data might have been prepared accordingly before by an attacker, in order to embed formulas that invoke executable code on the client machine, on which the result file is opened. If for example the result file is opened by means of Microsoft Excel, the following warning is displayed:

Microsoft Office has identified a potential security concern.

Automatic update of links has been disabled. If you choose to enable automatic update of links, your computer may no longer be secure. Do not enable this content unless you trust the source of this file.

[Enable]    [Disable]”

If an end-user then chooses the [Enable] option, the embedded contents in shape of potentially malicious formulas, are however not automatically executed. To actually execute these formulas, an end-user has to explicitly click into the respective cell, edit it and press the <ENTER> key. Afterwards a second warning is displayed:

Remote data not accessible.

To access the data Excel needs to start another application. Some legitimate applications on your computer could be used maliciuously to spread viruses or damage your computer. Only click Yes if you trust the source of the workbook and you want to let the workbook start the application.
Start application ‘…’

[Yes]    [No]

Only if then and end-user clicks [Yes], the respective formula is executed.

CVSS Information

CVSS v3 Base Score: 5.4 / 10
CVSS v3 Base Vector:

AV : Attack Vector (Related exploit range)

Network (N)

AC : Attack Complexity (Required attack complexity)

Low (L)

PR : Privileges Required (Level of privileges needed to exploit)

Low (L)

UI : User Interaction (Required user participation)

Required (R)

S : Scope (Change in scope due to impact caused to components beyond the vulnerable component)

Changed (C)

C : Impact to Confidentiality

Low (L)

I : Impact to Integrity

Low (L)

A : Impact to Availability

None (N)

SAP provides this CVSS v3 base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at https://support.sap.com/securitynotes.

Available fix and Supported packages

  • SAP_UI | 740 | 740
  • SAP_UI | 750 | 750
  • SAP_BASIS | 700 | 702
  • SAP_BASIS | 710 | 711
  • SAP_BASIS | 730 | 730
  • SAP_BASIS | 731 | 731
  • SAP_UI 740 | SAPK-74016INSAPUI |
  • SAP_UI 750 | SAPK-75003INSAPUI |
  • SAP_UI 750 | SAPK-75004INSAPUI |
  • SAP_BASIS 710 | SAPKB71021 |
  • SAP_BASIS 711 | SAPKB71116 |
  • SAP_BASIS 730 | SAPKB73015 |
  • SAP_BASIS 731 | SAPKB73118 |
  • SAP_BASIS 700 | SAPKB70034 |
  • SAP_BASIS 701 | SAPKB70119 |
  • SAP_BASIS 702 | SAPKB70219 |
  • SAP_BASIS 710 | SAPKB71024 |
  • SAP_BASIS 711 | SAPKB71119 |
  • SAP_BASIS 700 | SAPKB70037 |
  • SAP_BASIS 701 | SAPKB70122 |

Affected component

    BC-WD-CMP-ALV-ABA
    ALV for ABAP

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2272676

TAGS

#Web-Dynpro-ABAP
#ALV
#WDA
#FPM
#Floorplan-Manager
#List-UIBB-ATS
#Tree-UIBB
#Export
#Lean-Export
#LEX
#Spreadsheet
#Office-Open-XML
#OOXML
#Excel
#CSV
#Comma-Separated-Values

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.