The developers of LibreOffice have released updates for the open source Office suite to patch three security issues.
LibreOffice is a popular cross-platform Microsoft Office alternative that is available for Windows, macOS and Linux. All three desktop versions of LibreOffice are vulnerable to the security issues. Attackers may bypass LibreOffice’s macro execution feature to run malicious macros and may access encrypted passwords when they exploit the issues successfully.
LibreOffice 7.2.7 and 7.3.3 or later are secure
Updates for LibreOffice have been available for some time, but users and system administrators should check the installed versions to make sure that installations are protected against potential attacks targeting the vulnerabilities.
The latest versions of LibreOffice are LibreOffice 18.104.22.168 and LibreOffice 7.2.7; both are available as downloads on the official website. To help the project save bandwidth, torrent downloads are recommended.
Existing installations may be updated by running the provided installer. It walks users through setting up LibreOffice and the installation of optional components.
Here is what you need to do to check the installed LibreOffice version:
- Open any LibreOffice application, e.g., LibreOffice Writer.
- Select Help > About LibreOffice.
The page that opens displays the installed version. If it is lower than 7.2.7 or 7.3.3, LibreOffice is vulnerable to attacks that target the vulnerabilities.
LibreOffice supports manual update checks and the downloading of updates using the Office client. Select Help > Check for Updates to run a check. The application checks if a new version is available; a new version is then downloaded and installed.
LibreOffice security vulnerabilities
Three security vulnerabilities were reported to LibreOffice by OpenSource Security GMBH on behalf of the German Federal Office for Information Security. The vulnerabilities have received a severity rating of high, which is the second only to a severity rating of critical.
Here is the list of vulnerabilities:
- CVE-2022-26305 — Execution of Untrusted Macros Due to Improper Certificate Validation
- CVE-2022-26306 — Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
- CVE-2022-26307 — Weak Master Keys
Execution of Untrusted Macros Due to Improper Certificate Validation
LibreOffice supports the execution of macros, but limits the execution to macros to documents that are either stored in a trusted file location or are signed by a trusted certificate. LibreOffice maintains a list of trusted certificates that are stored in the user’s configuration database.
When a document contains macros, LibreOffice attempts to match the certificate to the list of trusted certificates. The macro is executed if a matching certificate is found, and blocked otherwise.
Security researchers detected an issue in the certification validation algorithm that LibreOffice uses. LibreOffice matched “the serial number and issuer string of the used certificate with that of a trusted certificate” only, which is insufficient.
An attacker could create an arbitrary certificate that matches the serial number and issuer string of a trusted certificate that LibreOffice uses. LibreOffice could then allow the execution of macros that are not signed using the trusted certificate; this could lead to the execution of arbitrary code on the system using macros that are not trusted.
The exploit does not work if no trusted certificates are stored in LibreOffice or if the macro security level is set to very high.
Changing the macro security setting
To check or change the macro security setting, do the following:
- Open a LibreOffice application, e.g., LibreOffice Writer.
- Select Tools > Options, or use the keyboard shortcut Alt-F12 to open the preferences.
- Go to LibreOffice > Security.
- Activate the Macro Security button.
The page that opens displays the current security level of macros in LibreOffice. The default setting is high, the other settings are very high, medium, and low.
- Very High — Only macros from trusted file locations are allowed to run. All other macros, regardless whether signed or not, are disabled.
- High — Only signed macros from trusted sources are allowed to run. Unsigned macros are disabled.
- Medium — Confirmation required before executing macros from untrusted sources.
- Low (not recommended) — All macros will be executed without confirmation. Use this setting only if you are certain that all documents that will be opened are safe.
Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
LibreOffice users may save passwords in the configuration database that LibreOffice may use for web connections. The passwords are encrypted with a master password that users set manually.
A vulnerability was found in LibreOffice that could allow malicious actors to retrieve passwords stored by the Office suite. LibreOffice used the same “initialization vector for encryption”, which weakened the security of the encryption, provided that an attacker has access to the user’s configuration data.
The issue was fixed in LibreOffice 7.2.7 and 7.3.3 and later. The newer versions use unique initialization vectors when master passwords are created and stored. Users are prompted by the application to reenter their master password to re-encrypt old configuration data that has been stored using the encryption weakness.
Weak Master Keys
The Weak Master Keys vulnerability affects master passwords in LibreOffice. A flaw in older versions of LibreOffice existed that weakened the entropy; this flaw makes the stored passwords vulnerable to brute force attacks, provided that the attacker has access to the users stored configuration.
A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.
LibreOffice fixed the vulnerability in the versions listed above. Existing users are asked to re-enter their master passwords to re-encrypt the user’s configuration storage.