LibreOffice security update fixes macro execution bypass and potential password leak
LibreOffice developers have released updates for the open source Office suite to fix three security issues.
LibreOffice is a popular cross-platform Microsoft Office alternative available for Windows, macOS, and Linux. All three desktop versions of LibreOffice are vulnerable to security issues. Attackers can bypass LibreOffice’s macro execution feature to run malicious macros and can gain access to encrypted passwords when successfully exploiting issues.
LibreOffice 7.2.7 and 7.3.3 or later are safe
Updates for LibreOffice have been available for some time, but users and system administrators should check installed versions to ensure that installations are protected against potential attacks targeting vulnerabilities.
The latest versions of LibreOffice are LibreOffice 220.127.116.11 and LibreOffice 7.2.7; both are available for download on the official website. To help the project save bandwidth, torrent downloads are recommended.
Existing installations can be updated by running the provided installer. It guides users through configuring LibreOffice and installing optional components.
Here is what you need to do to check the installed version of LibreOffice:
- Open any LibreOffice application, for example, LibreOffice Writer.
- Select Help > About LibreOffice.
The page that opens displays the installed version. If it is lower than 7.2.7 or 7.3.3, LibreOffice is vulnerable to attacks that target vulnerabilities.
LibreOffice supports manual checks for updates and downloading updates using the Office client. Select Help > Check for Updates to run a check. The application checks if a new version is available; a new version is then downloaded and installed.
LibreOffice Security Vulnerabilities
Three security vulnerabilities have been reported to LibreOffice by OpenSource Security GMBH on behalf of the German Federal Office for Information Security. The vulnerabilities were given a high severity rating, which is second only to a critical severity rating.
Here is the list of vulnerabilities:
- CVE-2022-26305 — Execution of untrusted macros due to poor certificate validation
- CVE-2022-26306 — Static initialization vector allows recovering passwords for web logins without knowing the master password
- CVE-2022-26307 — Weak master keys
Running untrusted macros due to improper certificate validation
LibreOffice supports macro execution, but limits macro execution to documents that are either stored in a trusted file location or signed by a trusted certificate. LibreOffice maintains a list of trusted certificates which are stored in the user configuration database.
When a document contains macros, LibreOffice attempts to match the certificate against the list of trusted certificates. The macro is executed if a matching certificate is found, and blocked otherwise.
Security researchers have detected a problem in the certification validation algorithm used by LibreOffice. LibreOffice matched “the serial number and issuer chain of the certificate used with those of a trusted certificate” only, which is insufficient.
An attacker could create an arbitrary certificate matching the serial number and issuer chain of a trusted certificate used by LibreOffice. LibreOffice could then allow the execution of macros that are not signed using the trusted certificate; this could lead to the execution of arbitrary code on the system using untrusted macros.
The exploit does not work if no trusted certificate is stored in LibreOffice or if the macro security level is set to very high.
Changing the macro security setting
To check or change the macro security setting, follow these steps:
- Open a LibreOffice application, for example, LibreOffice Writer.
- Select Tools > Options or use the keyboard shortcut Alt-F12 to open preferences.
- Go to LibreOffice > Security.
- Enable the Macro Security button.
The page that opens displays the current macro security level in LibreOffice. Default setting is high, other settings are very high, medium and low.
- Very high — Only macros from trusted file locations are allowed to run. All other macros, whether signed or unsigned, are disabled.
- High — Only signed macros from trusted sources are allowed to run. Unsigned macros are disabled.
- Medium — Confirmation required before running macros from untrusted sources.
- Down (not recommended) — All macros will be executed without confirmation. Use this parameter only if you are certain that all documents that will be opened are safe.
Static initialization vector allows recovering passwords for web logins without knowing the master password
LibreOffice users can store passwords in the configuration database that LibreOffice can use for web logins. Passwords are encrypted with a master password that users set manually.
A vulnerability has been found in LibreOffice that could allow malicious actors to recover passwords stored by the Office suite. LibreOffice used the same “initialization vector for encryption”, which weakened encryption security, provided an attacker had access to user configuration data.
The problem has been fixed in LibreOffice 7.2.7 and 7.3.3 and later. Newer versions use unique initialization vectors when creating and storing master passwords. Users are prompted by the app to re-enter their master password to re-encrypt old configuration data that was stored using the encryption flaw.
Weak master keys
The Weak Master Keys vulnerability affects master passwords in LibreOffice. A flaw in older versions of LibreOffice existed that weakened entropy; This flaw makes stored passwords vulnerable to brute force attacks, provided the attacker has access to users’ stored configuration.
A flaw in LibreOffice existed where the master key was miscoded, which lowered its entropy from 128 to 43 bits, making stored passwords vulnerable to a brute force attack if an attacker gained access to users’ stored configuration.
LibreOffice fixed the vulnerability in the versions listed above. Existing users are prompted to re-enter their master passwords to re-encrypt the user’s configuration store.
The latest versions of LibreOffice are safe to use, as security issues have been fixed there. Users and administrators should ensure that the latest versions are installed to protect their data and devices from potential attacks.
It is advisable to install updates even on systems without trusted certificates or stored passwords. Some LibreOffice users may wish to further improve the security of macro executions within the application by increasing the security level from high to very high, as described above.
Now you: do you use LibreOffice? when do you update the app?