7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
The maintainers of LibreOffice and OpenOffice have shipped security updates to their productivity software to remediate multiple vulnerabilities that could be weaponized by malicious actors to alter documents to make them appear as if they are digitally signed by a trusted source.
The list of the three flaws is as follows β
Successful exploitation of the vulnerabilities could permit an attacker to manipulate the timestamp of signed ODF documents, and worse, alter the contents of a document or self-sign a document with an untrusted signature, which is then tweaked to change the signature algorithm to an invalid or unknown algorithm.
In both the latter two attack scenarios β stemming as a result of improper certificate validation β LibreOffice incorrectly displays a validly signed indicator suggesting that the document hasnβt been tampered with since signing and presents a signature with an unknown algorithm as a legitimate signature issued by a trusted party.
The weaknesses have been fixed in OpenOffice version 4.1.11 and LibreOffice versions 7.0.5, 7.0.6, 7.1.1 as well as 7.1.2. The Chair for Network and Data Security (NDS) at the Ruhr-University Bochum has been credited with discovering and reporting all three issues.
The findings are the latest in a series of flaws uncovered by the Ruhr-University Bochum researchers and follow similar attack techniques disclosed earlier this year that could potentially enable an adversary to modify a certified PDF documentβs visible content by displaying malicious content over the certiο¬ed content without invalidating its signature.
Users of LibreOffice and OpenOffice are advised to update to the latest version to mitigate the risk associated with the flaws.
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N