Firewall Vulnerability Assessment showing a Formula Injection/CSV Injection vulnerability is Invalid

Firewall Vulnerability Assessment showing a Formula Injection/CSV Injection vulnerability is Invalid

182
Created On 11/20/21 04:10 AM - Last Modified 11/17/25 20:47 PM


Symptom


A firewall vulnerability assessment may contain a vulnerability identified by any of the following titles:

  • Formula Injection
  • CSV Injection

These vulnerabilities are not related to the firewall, but to the application that opens an exported CSV file from the firewall.

Here is a Google document explaining how this vulnerability can cause the program opening the CSV file to be exploited.

Google Bug Hunters: CSV Formula Injection

Environment


All versions of PanOS

Cause


Customers open support cases with the understanding that the firewall is permitting data calculations on exported CSV files.

Resolution


Exported CSV files from the firewall are sent as plain-text data while specific types of applications are interpreting the plain-text and using their own logic to calculate a value. This can be seen when using a “word processing” application versus using a “text editing” application to open CSV exported files from the firewall. Word processors are programs that provide for input, editing, formatting, and output of text, often with some additional features, I.E., automatic formula calculation. On the other hand, text editors are programs that edit simple text without any extra features.

In the following image, I have created an Address Object with the following values:

User-added image

This Address object looks odd but the placement of these values in relation to a spreadsheet is what’s important. If a Word Processor application is used to open the CSV exported file, the “Description” box will convert the strings, (=A2+3), into a math statement. The “A2” characters will reference the string in the first box under the “Name” column. This is the string "1" on the spreadsheet. So the "Description" box will add, (1+3), which equals 4. The following output is from the MacOS “Numbers” application which is the default word processor application for spreadsheets on a device running MacOS.

MacOS: Numbers (Similar to Microsoft Excel)
User-added image

Similar output can be seen on other word processor software for spreadsheets, like Microsoft Excel.

When an application that functions as a text editor opens the CSV exported file, they show the string characters as they are; performing no calculations.

MacOS: TextEdit
User-added image

Sublime Text Editor
User-added image

Opening the CSV exported file using a command-line text editor will also show the plain-text string characters without performing calculations.

Bash/nano
User-added image

Bash/vim
User-added image

Additional Information


Wikipedia: Word_processor
Wikipedia: Text_editor
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMmqCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail