The LibreOffice suite has been updated to address several security vulnerabilities related to the execution of macros and the protection of passwords for web connections.
The developer implemented fixes in the stable release of the product (LibreOffice 7.2) and the unstable branch (7.3).
In total, there are fixes for three vulnerabilities. The first one is tracked as CVE-2022-26305 and allows macro code to run on the target device even if the certificate used to sign the macro doesn’t match the entries in the user’s configuration database.
LibreOffice features a check to determine if a macro was created and signed by someone the user trusts (i.e. a colleague) so it wouldn’t execute the macro code in case of a mismatch.
“An adversary could create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading the user to execute arbitrary code contained in macros improperly trusted,” explains the advisory.
The second issue is now identified as CVE-2022-26307. It addresses a problem with the poor encoding of the master key that stores passwords for web connections in the user’s configuration database.
The bad encoding of the key weakened its entropy from 128 to 43 bits, allowing an attacker to brute force it and access the stored passwords.
In the updated version of the software users with stored passwords will be prompted automatically to to re-encrypt them using the fixed method.
Finally, there’s CVE-2022-26306, a flaw that allows attackers with access to the user’s configuration data to retrieve passwords for web connections without knowing the master password.
Mitigation
LibreOffice offers security options for macros, ranging from “low” to “very high”, which activate different sets of execution policies depending on the level of trust the user is comfortable accepting.
For example, if set to low, all macros will be executed even if they’re unsigned. The medium security level displays a dialog asking the user to approve the execution of macros.
In the case of CVE-2022-26307, the flaw is not exploitable if the macro security level is set to “very high” or if the user doesn’t maintain a database of trusted certificates.
To check your macro security settings, navigate to Tools → Options → LibreOffice → Security, click on “Macro Security”, and set the level to “very high”.
It is estimated that LibreOffice has 200 million users. Many of them are students and Linux users looking for an open-source alternative to Microsoft Office as well as a an office productivity software suite that is less targeted by threat actors.
The latest available version on the official download portal is 7.3.5.2, which features fixes for the mentioned flaws, but those appreciating a more stable performance might want to get 7.2.7 instead.
