CVE-2022-26867

Vulnerability

Dell PowerStore SW version 2.1.1.0 contains a formula injection vulnerability (CVE-2022-26867) [1]. The PowerStore user interface supports exporting data to CSV or XLSX files without performing any validation or sanitization of the exported data. This allows a malicious, authenticated user to inject payloads that may be interpreted as formulas by spreadsheet applications (e.g., Microsoft Excel) when the file is opened [1].

Exploitation

An attacker must be an authenticated user of the PowerStore SW v2.1.1.0 web interface [1]. The attacker would perform the export operation to generate a CSV or XLSX file containing crafted payloads that mimic spreadsheet formulas (e.g., starting with =, +, -, @, etc.) [1]. The attacker then needs to convince a victim (e.g., another user or administrator) to open the exported file in a desktop spreadsheet application that processes these formulas [1]. The attack requires user interaction (the victim opening the file) and high privileges (authenticated user).

Impact

If the victim opens the malicious CSV/XLSX file in a spreadsheet application, the injected formulas may execute arbitrary commands or exfiltrate data from the victim's environment [1]. Successful exploitation can lead to confidentiality breach (data leakage), integrity compromise (manipulation of spreadsheet content via formulas), and availability impact (e.g., denial of service or corruption) [1]. The CVSS v3.1 base score is 5.9 (Medium), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L [1].

Mitigation

Dell has released a security update to address this vulnerability; refer to Dell Security Advisory DSA-2022-014 [1]. Users should apply the latest PowerStore SW update above version 2.1.1.0 [1]. As a temporary workaround, users are advised to open CSV/XLSX files from PowerStore in a plain-text editor or in spreadsheet applications with macros and formula execution disabled [1].