The maintainers of LibreOffice and OpenOffice have delivered security updates to their productiveness computer software to remediate various vulnerabilities that could be weaponized by destructive actors to alter files to make them surface as if they are digitally signed by a reliable source.
The list of the 3 flaws is as follows —
- CVE-2021-41830 / CVE-2021-25633 – Material and Macro Manipulation with Double Certification Attack
- CVE-2021-41831 / CVE-2021-25634 – Timestamp Manipulation with Signature Wrapping
- CVE-2021-41832 / CVE-2021-25635 – Material Manipulation with Certificate Validation Attack
Thriving exploitation of the vulnerabilities could permit an attacker to manipulate the timestamp of signed ODF documents, and worse, change the contents of a doc or self-signal a document with an untrusted signature, which is then tweaked to change the signature algorithm to an invalid or not known algorithm.
In both equally the latter two attack situations — stemming as a result of improper certification validation — LibreOffice incorrectly shows a validly signed indicator suggesting that the doc hasn’t been tampered with given that signing and presents a signature with an unfamiliar algorithm as a reputable signature issued by a dependable party.
The weaknesses have been fixed in OpenOffice model 4.1.11 and LibreOffice variations 7..5, 7..6, 7.1.1 as perfectly as 7.1.2. The Chair for Network and Facts Security (NDS) at the Ruhr-College Bochum has been credited with exploring and reporting all three issues.
The conclusions are the most up-to-date in a sequence of flaws uncovered by the Ruhr-College Bochum scientists and observe very similar attack techniques disclosed earlier this yr that could potentially empower an adversary to modify a certified PDF document’s visible content material by displaying destructive articles over the certiﬁed content material without invalidating its signature.
People of LibreOffice and OpenOffice are recommended to update to the hottest version to mitigate the risk linked with the flaws.
Located this article interesting? Stick to THN on Fb, Twitter and LinkedIn to read more distinctive material we put up.
Some parts of this short article are sourced from: