Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again

If you are using LibreOffice, you need to update it once again.

LibreOffice has released the latest version 6.2.6/6.3.0 of its open-source office software to address three new vulnerabilities that could allow attackers to bypass patches for two previously addressed vulnerabilities.

LibreOffice is one of the most popular and open source alternatives to Microsoft Office suite and is available for Windows, Linux and macOS systems.

One of the two vulnerabilities, tracked as CVE-2019-9848, that LibreOffice attempted to patch just last month was a code execution flaw that affected LibreLogo, a programmable turtle vector graphics script that ships by default with LibreOffice.

This flaw allows an attacker to craft a malicious document that can silently execute arbitrary python commands without displaying any warning to a targeted user.

Apparently, the patch for this vulnerability was insufficient, as The Hacker News also reported late last month, which allowed two separate security researchers to bypass the patch and re-enable the attack by exploiting two new vulnerabilities, as explained below:

• CVE-2019-9850: Discovered by Alex Inführ, the vulnerability in LibreOffice exists due to insufficient URL validation that allows malicious attackers to bypass the protection added to patch CVE-2019-9848 and again trigger calling LibreLogo from script event handlers.

• CVE-2019-9851: Discovered by Gabriel Masei, this flaw resides in a separate feature where documents can specify pre-installed scripts, just like LibreLogo, which can be executed on various global script events such as document-open, etc.

The patch for the second vulnerability (CVE-2018-16858) that LibreOffice released in February has successfully been bypassed, re-enabling the directory traversal attack that could allow malicious documents to execute any script from arbitrary locations on the victim’s file system.

• CVE-2019-9852: Discovered by Nils Emmerich of ERNW Research GmbH, a URL encoding attack could allow attackers to bypass patch for directory traversal attack.

By successfully exploiting all these three vulnerabilities, a remote attacker can silently execute malicious commands on a targeted computer by convincing the victim into just opening a maliciously-crafted document file.

LibreOffice users are highly recommended to update their office software to the latest patched version 6.2.6/6.3.0 as soon as possible in order to avoid becoming victims to any attack exploiting these vulnerabilities.