Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Severe Security Flaws in LibreOffice

 

Systems Affected


LibreOffice versions below 6.2.6

Threat Level


High


Overview


An Attacker could craft a malicious document that can silently execute arbitrary python commands (CVE-2019-9851, CVE-2019-9850, CVE-2019-9852).


Description


  ✦  CVE-2019-9850: Discovered by Alex Infuhr, the vulnerability in LibreOffice exists due to insufficient URL validation that allows malicious attackers to bypass the protection added to patch CVE-2019-9848 and again trigger calling LibreLogo from script event handlers.
  ✦  CVE-2019-9851: Discovered by Gabriel Masei, this flaw resides in a separate feature where documents can specify pre-installed scripts, just like LibreLogo, which can be executed on various global script events such as document-open, etc.
  ✦  CVE-2019-9852: Discovered by Nils Emmerich of ERNW Research GmbH, a URL encoding attack could allow attackers to bypass patch for directory traversal attack.
By using above vulnerabilities an attacker could send a crafted document to users and then silently execute malicious commands on the system.


Impact


  ✦  Execute arbitrary code
  ✦  Data modifications


Solution/ Workarounds


  ✦  Apply LibreOffice latest patch 6.2.6/6.3.0


References


  ✦  https://thehackernews.com/2019/08/libreoffice-patch-update.html


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.