RHEL 6 : libreoffice (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory libreoffice. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196590);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/13");

  script_cve_id(
    "CVE-2017-7870",
    "CVE-2017-8358",
    "CVE-2017-12607",
    "CVE-2017-12608",
    "CVE-2018-10119",
    "CVE-2018-10120",
    "CVE-2018-10583",
    "CVE-2018-16858",
    "CVE-2019-9848",
    "CVE-2019-9849",
    "CVE-2019-9850",
    "CVE-2019-9851",
    "CVE-2019-9852",
    "CVE-2019-9853",
    "CVE-2019-9854",
    "CVE-2020-12802",
    "CVE-2020-12803",
    "CVE-2021-25633",
    "CVE-2021-25634",
    "CVE-2021-25635",
    "CVE-2021-25636",
    "CVE-2022-38745",
    "CVE-2023-0950",
    "CVE-2023-1183",
    "CVE-2023-2255",
    "CVE-2023-6185",
    "CVE-2023-6186"
  );

  script_name(english:"RHEL 6 : libreoffice (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libreoffice: LibreLogo global-event script execution (CVE-2019-9851)

  - A vulnerability in OpenOffice's PPT file parser before 4.1.4, and specifically in PPTStyleSheet, allows
    attackers to craft malicious documents that cause denial of service (memory corruption and application
    crash) potentially resulting in arbitrary code execution. (CVE-2017-12607)

  - A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1.4, and specifically in
    ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory
    corruption and application crash) potentially resulting in arbitrary code execution. (CVE-2017-12608)

  - LibreOffice before 2017-01-02 has an out-of-bounds write caused by a heap-based buffer overflow related to
    the tools::Polygon::Insert function in tools/source/generic/poly.cxx. (CVE-2017-7870)

  - LibreOffice before 2017-03-17 has an out-of-bounds write caused by a heap-based buffer overflow related to
    the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx. (CVE-2017-8358)

  - sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect
    integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service
    (use-after-free with write access) or possibly have unspecified other impact via a crafted document that
    uses the structured storage ole2 wrapper file format. (CVE-2018-10119)

  - The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and
    6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a
    denial of service (heap-based buffer overflow with write access) or possibly have unspecified other impact
    via a crafted document that contains a certain Microsoft Word record. (CVE-2018-10120)

  - An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5
    automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by
    xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
    (CVE-2018-10583)

  - It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal
    attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a
    document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary
    file system location, specified relative to the LibreOffice install location. (CVE-2018-16858)

  - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on
    various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a
    programmable turtle vector graphics script, which can be manipulated into executing arbitrary python
    commands. By using the document event feature to trigger LibreLogo to execute python contained within a
    document a malicious document could be constructed which would execute arbitrary python commands silently
    without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This
    issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9848)

  - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to
    retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to
    disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet
    graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation
    LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can
    execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a
    feature where documents can specify that pre-installed scripts can be executed on various document script
    events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo
    from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed
    malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This
    issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various
    script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under
    the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was
    added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary
    locations on the file system could be executed. However this new protection could be bypassed by a URL
    encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded
    before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
    (CVE-2019-9852)

  - LibreOffice documents can contain macros. The execution of those macros is controlled by the document
    security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in
    how the urls to the macros within the document were processed and categorized, resulting in the
    possibility to construct a document where macro execution bypassed the security settings. The documents
    were correctly detected as containing macros, and prompted the user to their existence within the
    documents, but macros within the document were subsequently not controlled by the security settings
    allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
    LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various
    script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under
    the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was
    added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary
    locations on the file system could be executed by employing a URL encoding attack to defeat the path
    verification step. However this protection could be bypassed by taking advantage of a flaw in how
    LibreOffice assembled the final script URL location directly from components of the passed in path as
    opposed to solely from the sanitized output of the path verification step. This issue affects: Document
    Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

  - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to
    retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to
    disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote
    graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This
    issue affects: The Document Foundation LibreOffice versions prior to 6.4.4. (CVE-2020-12802)

  - ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form
    data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF
    implements the XForms W3C standard, which allows data to be submitted without the need for macros or other
    active scripting Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including
    file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the
    form, but to avoid the possibility of malicious documents engineered to maximize the possibility of
    inadvertent user submission this feature has now been limited to http[s] URIs, removing the possibility to
    overwrite local files. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.
    (CVE-2020-12803)

  - LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual
    aids that no alteration of the document occurred since the last signing and that the signature is valid.
    An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally
    signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the
    document to combine multiple certificate data, which when opened caused LibreOffice to display a validly
    signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document
    Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. (CVE-2021-25633)

  - LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual
    aids that no alteration of the document occurred since the last signing and that the signature is valid.
    An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to modify a digitally
    signed ODF document to insert an additional signing time timestamp which LibreOffice would incorrectly
    present as a valid signature signed at the bogus signing time. This issue affects: The Document Foundation
    LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. (CVE-2021-25634)

  - libreoffice: Content Manipulation with Certificate Validation Attack (CVE-2021-25635)

  - LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual
    aids that no alteration of the document occurred since the last signing and that the signature is valid.
    An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally
    signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the
    document to contain both X509Data and KeyValue children of the KeyInfo tag, which when opened caused
    LibreOffice to verify using the KeyValue but to report verification with the unrelated X509Data value.
    This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5. (CVE-2021-25636)

  - Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path.
    This may lead to run arbitrary Java code from the current directory. (CVE-2022-38745)

  - Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation
    LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow
    when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as
    AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected,
    leading to an array index underflow, in which case there is a risk that arbitrary code could be executed.
    This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to
    7.5.1. (CVE-2023-0950)

  - A flaw was found in the Libreoffice package. An attacker can craft an odb containing a database/script
    file with a SCRIPT command where the contents of the file could be written to a new file whose location
    was determined by the attacker. (CVE-2023-1183)

  - Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to
    craft a document that would cause external links to be loaded without prompt. In the affected versions of
    LibreOffice documents that used floating frames linked to external files, would load the contents of
    those frames without prompting the user for permission to do so. This was inconsistent with the treatment
    of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4
    versions prior to 7.4.7; 7.5 versions prior to 7.5.3. (CVE-2023-2255)

  - Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice
    allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the
    embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary
    gstreamer plugins depending on what plugins are installed on the target system. (CVE-2023-6185)

  - Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to
    execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro
    or similar built-in command targets that can be executed when activated without warning the user.
    (CVE-2023-6186)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9851");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libreoffice");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'libreoffice', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'libreoffice'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libreoffice');
}