Attack Chain

1. An attacker authenticates to the ERPGo SaaS 3.9 application.
2. The attacker navigates to the vendor creation form.
3. In the “vendor name” field, the attacker injects a malicious CSV formula, such as =10+20+cmd|' /C calc'!A0.
4. The attacker submits the form, creating a new vendor entry with the malicious payload.
5. An authorized user exports vendor data to a CSV file.
6. The user opens the exported CSV file using a spreadsheet application like Microsoft Excel or LibreOffice Calc.
7. The spreadsheet application interprets and executes the injected formula.
8. The attacker achieves arbitrary code execution on the user’s system, potentially leading to further compromise.

Impact

Successful exploitation of this CSV injection vulnerability allows an attacker to execute arbitrary code on the system of the user opening the exported CSV file. This could lead to the installation of malware, data exfiltration, or further compromise of the internal network. Given the widespread use of spreadsheet applications, a single successful injection could affect multiple users and systems. The potential for data compromise and system takeover makes this a high-severity vulnerability.

Recommendation

• Deploy the Sigma rule Detect CSV Injection via Formula in Process Creation to your SIEM to identify potential exploitation attempts based on spawned processes (process_creation logs).
• Deploy the Sigma rule Detect CSV Injection via Formula in File Content to your SIEM to identify potentially crafted CSV files based on file content analysis (file_event logs).
• Upgrade to a patched version of ERPGo SaaS that addresses this vulnerability; consult the vendor’s security advisories for updates.
• Educate users about the risks of opening CSV files from untrusted sources and the potential for CSV injection attacks.