OpenOffice and LibreOffice Digital Signature Spoofing Vulnerabilities

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows OS Linux OS
Advisory ID:
ngCERT-2021-0055
Version:
N/A
CVE:
CVE-2021-41830, CVE-2021-25633, CVE-2021-41831, CVE-2021-25634, CVE-2021-41832, CVE-2021-25635
Published:
October 12, 2021

Summary


Three flaws has been uncovered in OpenOffice and LibreOffice that if successfully exploited could permit an attacker to manipulate the timestamp of signed ODF documents, and worse, alter the contents of a document or self-sign a document with an untrusted signature, which is then tweaked to change the signature algorithm to an invalid or unknown algorithm.

Description & Consequence


OpenOffice, is a discontinued open-source office suite. LibreOffice is a free and open-source office productivity software suite. It was forked in 2010 from OpenOffice.org, which was an open-sourced version of the earlier StarOffice. In two out of the three attack scenarios, LibreOffice incorrectly displays a validly signed indicator that suggests that the document has not been tampered with since it was signed. A trusted party that presents the signature of an unknown algorithm as a legitimate signature issued

Successful exploitation could allow an attacker to manipulate the timestamp of signed ODF documents, alter the contents of a document and self-sign a document with an untrusted signature, which is then tweaked to change the signature algorithm to an invalid or unknown algorithm.

Solution


The weaknesses have been fixed in OpenOffice version 4.1.11 and LibreOffice versions 7.0.5, 7.0.6, 7.1.1 as well as 7.1.2. Users of LibreOffice and OpenOffice are advised to update to the latest version to mitigate the risk associated with the flaws.

Reference


1. https://thehackernews.com/2021/10/digital-signature-spoofing-flaws.html 

2. https://www.jioforme.com/digital-signature-spoofing-flaws-found-in-openoffice-and-libreoffice/829153/

 

Revision


Related Articles