The maintainers of LibreOffice and OpenOffice have shipped safety updates to their productiveness software program to remediate a number of vulnerabilities that might be weaponized by malicious actors to change paperwork to make them seem as if they’re digitally signed by a trusted supply.
The listing of the three flaws is as follows —
Profitable exploitation of the vulnerabilities might allow an attacker to manipulate the timestamp of signed ODF paperwork, and worse, alter the contents of a doc or self-sign a doc with an untrusted signature, which is then tweaked to alter the signature algorithm to an invalid or unknown algorithm.
In each the latter two assault eventualities — stemming on account of improper certificates validation — LibreOffice incorrectly shows a validly signed indicator suggesting that the doc hasn’t been tampered with since signing and presents a signature with an unknown algorithm as a professional signature issued by a trusted get together.
The weaknesses have been fastened in OpenOffice model 4.1.11 and LibreOffice variations 7.0.5, 7.0.6, 7.1.1 in addition to 7.1.2. The Chair for Community and Knowledge Safety (NDS) on the Ruhr-College Bochum has been credited with discovering and reporting all three points.
The findings are the newest in a sequence of flaws uncovered by the Ruhr-College Bochum researchers and comply with related assault methods disclosed earlier this 12 months that would doubtlessly allow an adversary to switch an authorized PDF doc’s seen content material by displaying malicious content material over the certiﬁed content material with out invalidating its signature.
Customers of LibreOffice and OpenOffice are suggested to replace to the newest model to mitigate the danger related to the issues.