- The Document Foundation has released updates to patch 3 vulnerabilities in the open-source office suite, LibreOffice.
- The vulnerabilities were reported to LibreOffice by OpenSource Security GMBH on behalf of the German Federal Office for Information Security.
- The vulnerabilities affected LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1. and versions before 7.3.3.
LibreOffice, a popular Microsoft Office alternative has released updates to resolve 3 new vulnerabilities. By utilizing those vulnerabilities, attackers may breach LibreOffice’s macro execution feature to perform malicious macros to steal sensitive information.
LibreOffice security vulnerabilities
Three security flaws were reported to the LibreOffice team by OpenSource Security GMBH on behalf of the German Federal Office for Information Security. The vulnerabilities affected LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1. and versions before 7.3.3. The list of vulnerabilities is below;
- Tracked under CVE-2022-26305, a flaw was detected in the certification validation system that LibreOffice uses. The flaw allowed an attacker to create an arbitrary certificate matching the serial number and issuer string of a trusted certificate that LibreOffice applies. Then LibreOffice would present as belonging to the trusted author. This could let the execution of arbitrary code on the system using macros that are not trusted.
- Tracked under CVE-2022-26306, a flaw was found in LibreOffice where the required initialization vector for encryption was always the same. This weakened the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data.
- Tracked under CVE-2022-26307, a flaw was found in LibreOffice where the master key was poorly encoded. This weakened its entropy from 128 to 43 bits making the stored passwords vulnerable if an attacker has access to the user’s stored config.