CVE-2024-27756
📋 TL;DR
CVE-2024-27756 is a CSV injection vulnerability in GLPI that allows attackers to embed malicious formulas in asset titles. When exported to CSV and opened in spreadsheet applications like Excel, these formulas can execute arbitrary commands. This affects GLPI instances where users can create assets.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on victim's machine when malicious CSV is opened in Excel, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Local code execution on the victim's computer when they open a malicious CSV export, allowing attacker to steal credentials, install malware, or pivot to internal networks.
If Mitigated
Limited to social engineering success - requires victim to open CSV in vulnerable spreadsheet application and enable macros/formulas.
🎯 Exploit Status
Exploit requires authenticated access to create assets. CSV injection techniques are well-documented and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.13 and later
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-xxxx-xxxx-xxxx
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI 10.0.13 or later from official repository. 3. Follow standard GLPI upgrade procedure. 4. Verify CSV exports properly sanitize formula characters.
🔧 Temporary Workarounds
Input Sanitization
allAdd custom validation to sanitize formula characters (=, +, -, @) in asset titles before saving.
Modify GLPI source code to escape CSV formula characters in asset creation forms
Export Restrictions
allRestrict CSV export capabilities to trusted users only.
Configure GLPI permissions to limit CSV export to administrators only
🧯 If You Can't Patch
- Implement strict input validation to block formula characters (=, +, -, @) in asset titles
- Educate users to never open CSV files from untrusted sources in spreadsheet applications
🔍 How to Verify
Check if Vulnerable:
Attempt to create an asset with title starting with =cmd|' /C calc'!A0 and export to CSV. If formula executes when opened in Excel, system is vulnerable.Check Version:
Check GLPI version in Administration > General > Information or via database: SELECT value FROM glpi_configs WHERE name = 'version'Verify Fix Applied:
After patching, attempt same test - formula characters should be properly escaped in CSV output.📡 Detection & Monitoring
Log Indicators:
- Asset creation logs with formula characters (=, +, -, @) in titles
- Multiple CSV export requests from single user
Network Indicators:
- CSV file downloads from GLPI with suspicious content
SIEM Query:
source="glpi" AND (asset_title="=*" OR asset_title="+*" OR asset_title="-*" OR asset_title="@*")