LibreOffice and OpenOffice maintainers have released security updates to their productivity software to address several vulnerabilities that may be armed by malicious actors to modify documents to make them appear to be digitally signed by a trusted source.
The list of the three errors is as follows –
Successful exploitation of the vulnerabilities could allow a hacker to manipulate the timestamp of signed ODF documents and worse, change the contents of a document or self-sign a document with an untrusted signature, which is then adjusted to change the signature algorithm to an invalid or unknown algorithm.
In both of the latter two attack scenarios – which occur as a result of incorrect certificate validation – LibreOffice incorrectly displays a validly signed indicator, indicating that the document has not been tampered with since signing, and presents a signature with an unknown algorithm as a legitimate signature issued by a trusted party.
The vulnerabilities have been identified in OpenOffice version 4.1.11 and LibreOffice version 7.0.5, 7.0.6, 7.1.1 and 7.1.2. The President of Network and Data Security (NDS) at the Ruhr University Bochum has been credited with detecting and reporting all three issues.
The results are the latest in a series of bugs uncovered by Ruhr-University Bochum researchers and follow similar attacking techniques revealed earlier this year that could potentially allow an opponent to change the visible content of a certified PDF document by to display malicious content over the certified content without invalidating its signature.
LibreOffice and OpenOffice users are advised to update to the latest version to mitigate the risks associated with the errors.