The maintainers of LibreOffice and OpenOffice have transported security updates to their efficiency program to remediate a number of vulnerabilities that could be weaponized by destructive actors to alter documents to make them look as if they are digitally signed by a trusted supply.
The checklist of the 3 flaws is as follows —
- CVE-2021-41830 / CVE-2021-25633 – Written content and Macro Manipulation with Double Certification Attack
- CVE-2021-41831 / CVE-2021-25634 – Timestamp Manipulation with Signature Wrapping
- CVE-2021-41832 / CVE-2021-25635 – Content material Manipulation with Certification Validation Attack
Prosperous exploitation of the vulnerabilities could allow an attacker to manipulate the timestamp of signed ODF files, and worse, alter the contents of a document or self-sign a document with an untrusted signature, which is then tweaked to adjust the signature algorithm to an invalid or not known algorithm.
In both of those the latter two attack situations — stemming as a outcome of poor certificate validation — LibreOffice improperly shows a validly signed indicator suggesting that the document has not been tampered with considering the fact that signing and presents a signature with an unidentified algorithm as a genuine signature issued by a trustworthy social gathering.
The weaknesses have been mounted in OpenOffice version 4.1.11 and LibreOffice versions 7..5, 7..6, 7.1.1 as nicely as 7.1.2. The Chair for Network and Details Security (NDS) at the Ruhr-University Bochum has been credited with discovering and reporting all 3 issues.
The conclusions are the most current in a collection of flaws uncovered by the Ruhr-College Bochum researchers and comply with identical attack approaches disclosed previously this calendar year that could most likely empower an adversary to modify a certified PDF document’s obvious articles by displaying destructive content in excess of the certified content without the need of invalidating its signature.
People of LibreOffice and OpenOffice are recommended to update to the most up-to-date model to mitigate the risk connected with the flaws.
Found this post appealing? Follow THN on Fb, Twitter and LinkedIn to read through much more special written content we put up.
Some parts of this article are sourced from:
thehackernews.com
GitHub Revoked Insecure SSH Keys Generated by a Popular git Client