LibreOffice security update fixes macro execution bypass and potential password leaking
The developers of LibreOffice have released updates for the open source Office suite to patch three security issues.
LibreOffice is a popular cross-platform Microsoft Office alternative that is available for Windows, macOS and Linux. All three desktop versions of LibreOffice are vulnerable to the security issues. Attackers may bypass LibreOffice's macro execution feature to run malicious macros and may access encrypted passwords when they exploit the issues successfully.
LibreOffice 7.2.7 and 7.3.3 or later are secure
Updates for LibreOffice have been available for some time, but users and system administrators should check the installed versions to make sure that installations are protected against potential attacks targeting the vulnerabilities.
The latest versions of LibreOffice are LibreOffice 7.3.5.2 and LibreOffice 7.2.7; both are available as downloads on the official website. To help the project save bandwidth, torrent downloads are recommended.
Existing installations may be updated by running the provided installer. It walks users through setting up LibreOffice and the installation of optional components.
Here is what you need to do to check the installed LibreOffice version:
- Open any LibreOffice application, e.g., LibreOffice Writer.
- Select Help > About LibreOffice.
The page that opens displays the installed version. If it is lower than 7.2.7 or 7.3.3, LibreOffice is vulnerable to attacks that target the vulnerabilities.
LibreOffice supports manual update checks and the downloading of updates using the Office client. Select Help > Check for Updates to run a check. The application checks if a new version is available; a new version is then downloaded and installed.
LibreOffice security vulnerabilities
Three security vulnerabilities were reported to LibreOffice by OpenSource Security GMBH on behalf of the German Federal Office for Information Security. The vulnerabilities have received a severity rating of high, which is the second only to a severity rating of critical.
Here is the list of vulnerabilities:
- CVE-2022-26305 -- Execution of Untrusted Macros Due to Improper Certificate Validation
- CVE-2022-26306 -- Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
- CVE-2022-26307 -- Weak Master Keys
Execution of Untrusted Macros Due to Improper Certificate Validation
LibreOffice supports the execution of macros, but limits the execution to macros to documents that are either stored in a trusted file location or are signed by a trusted certificate. LibreOffice maintains a list of trusted certificates that are stored in the user's configuration database.
When a document contains macros, LibreOffice attempts to match the certificate to the list of trusted certificates. The macro is executed if a matching certificate is found, and blocked otherwise.
Security researchers detected an issue in the certification validation algorithm that LibreOffice uses. LibreOffice matched "the serial number and issuer string of the used certificate with that of a trusted certificate" only, which is insufficient.
An attacker could create an arbitrary certificate that matches the serial number and issuer string of a trusted certificate that LibreOffice uses. LibreOffice could then allow the execution of macros that are not signed using the trusted certificate; this could lead to the execution of arbitrary code on the system using macros that are not trusted.
The exploit does not work if no trusted certificates are stored in LibreOffice or if the macro security level is set to very high.
Changing the macro security setting
To check or change the macro security setting, do the following:
- Open a LibreOffice application, e.g., LibreOffice Writer.
- Select Tools > Options, or use the keyboard shortcut Alt-F12 to open the preferences.
- Go to LibreOffice > Security.
- Activate the Macro Security button.
The page that opens displays the current security level of macros in LibreOffice. The default setting is high, the other settings are very high, medium, and low.
- Very High -- Only macros from trusted file locations are allowed to run. All other macros, regardless whether signed or not, are disabled.
- High -- Only signed macros from trusted sources are allowed to run. Unsigned macros are disabled.
- Medium -- Confirmation required before executing macros from untrusted sources.
- Low (not recommended) -- All macros will be executed without confirmation. Use this setting only if you are certain that all documents that will be opened are safe.
Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
LibreOffice users may save passwords in the configuration database that LibreOffice may use for web connections. The passwords are encrypted with a master password that users set manually.
A vulnerability was found in LibreOffice that could allow malicious actors to retrieve passwords stored by the Office suite. LibreOffice used the same "initialization vector for encryption", which weakened the security of the encryption, provided that an attacker has access to the user's configuration data.
The issue was fixed in LibreOffice 7.2.7 and 7.3.3 and later. The newer versions use unique initialization vectors when master passwords are created and stored. Users are prompted by the application to reenter their master password to re-encrypt old configuration data that has been stored using the encryption weakness.
Weak Master Keys
The Weak Master Keys vulnerability affects master passwords in LibreOffice. A flaw in older versions of LibreOffice existed that weakened the entropy; this flaw makes the stored passwords vulnerable to brute force attacks, provided that the attacker has access to the users stored configuration.
A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.
LibreOffice fixed the vulnerability in the versions listed above. Existing users are asked to re-enter their master passwords to re-encrypt the user's configuration storage.
Closing Words
The latest LibreOffice versions are safe to use, as the security issues have been patched in them. Users and administrators should ensure that the latest versions are installed to protect their data and devices from potential attacks.
It is advised to install the updates even on systems without trusted certificates or stored passwords. Some LibreOffice users may want to improve the security of macro executions in the application further by increasing the security level from high to very high, as described above.
Now You: do you use LibreOffice? when do you update the application?
@Peterc + @Martin
thanks, both!,
All very good info
to make the right decision…
@joe:
When I was using Linux Mint and Kubuntu on a regular basis — before I got a new laptop that made the slowness of my decade-plus-old laptops running Linux *unbearable* by comparison — I remember getting fed up with the “staleness” of the [stable, vetted, conservative] “Still” LibreOffice releases in the official repo and switching to a LibreOffice “Fresh” PPA. It worked great, and it was nice to have the same up-to-date version of LibreOffice on my Linux computers as on my Windows computer.
Bearing in mind that I’ve been out of the loop on Linux for a couple of years:
* If you prefer to stick with a “Still” release of LibreOffice, according to Repology.org there is a “secure” 7.2.7 Still release for Ubuntu 20.04 in the Ubuntu Backports repository, so I *think* you should be able to enable the Backports repository — In Software Manager? In Software Updater? Sorry; Gnome and I don’t get along, so I didn’t spend much time in Ubuntu before ditching it for something else — and update LibreOffice Still to the “newly available” 7.2.7 in the usual manner.
If you want a “Fresh” release with the latest features and improvements (but potentially also new bugs), I think the instructions in this article should probably work:
How to install LibreOffice 7.3 on Linux Mint, Ubuntu, MX Linux, Debian… – libre-software.net
https://libre-software.net/how-to-install-libreoffice-on-ubuntu-linux-mint/
At any rate, it looks like there are still “official” LibreOffice PPAs for both Fresh and Still:
* https://launchpad.net/~libreoffice/+archive/ubuntu/ppa
* https://launchpad.net/~libreoffice/+archive/ubuntu/libreoffice-still
For what it’s worth, I’ve appreciated being able to use some of the new features in Fresh during the time it takes Still to catch up, and I’ve had remarkably good luck with the new bugs that Fresh is more prone to. [Interestingly, the only bug that was problematic enough to make me revert to the previous release affected only the Windows x64 build!] However, choosing between new-and-improved features and somewhat better reliability is something each user must decide for himself.
I hope at least some of what I’ve written puts you on the right path to getting a secure version of LibreOffice. With luck, someone with more up-to-date “LibreOffice on Linux” experience will chime in to correct any inadvertent gaffes!
Is OpenOffice.org vulnerable to this issue?
It appears to some. OpenOffice 4.1.13 fixes several security issues, including issues with macros and certificates: https://blogs.apache.org/ooo/
Hi Martin –
In my UBUNTU LINUX 20.04,
(latest CHROME version…),
Libre Office shows Version: 6.4.7.2.
Following your instructions,
but my Chrome Help menu does not show
any option to upgrade LibreOffice….
How to add the correct PPA
to upgrade to this new, “safer” LibreOffice version?.
Thanks!
Joe
SF
======
Joe check this out, especially the “installing a newer version of LibreOffice than available via Ubuntu repositories” part : https://wiki.ubuntu.com/LibreOffice
So for Libre Office it seems you have to download the full suite, no small(er) patch files available….(?)
As per comments above (?) it appears Apache Open Office has also issued a security update
https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.13+Release+Notes
– infuriatingly no torrent download option (item is from sourceforge so no easy way of getting the direct url link for getting it in a download manager it appears) and interestingly it is still 32-bit, no x64.
I’m certainly unable to understand how the Libreoffice development team is completely unable to fix the LO weird menu, as it shows the worst colour combination ever. Please, come on dudes, don’t you know how to combine the colours to see them easily? Just see, pleas again, that the highlighted menu is DARK BLUE and the letters are BLACK. There is imposible to work with this crap colours, this is a terrible pain for the eyes and this makes LO unusable for long time tasks. Also the hightlighted menus are very narrow, too narrow. So please, again, please you dudes just fix these basic things before doing more useless releases. Thanks for the article! :]
@ John G.
Colours are perfectly fine in a default install.
You’ve obviously been changing the theme and have ‘broken it’ yourself.
Revert back to default and start again.
@DrKnow the default colours of the menus out of the box of LibreOffice are nonsense, letters are black and highlighted menus are dark blue. Such a big example of european software!
@John G.:
“Such a big example of [E]uropean software!”
A lot of Americans — or at least people working for American software companies — contribute to LibreOffice. Back when I had more time and energy, I was pretty diligent about filing LibreOffice bug reports, and for whatever reason, the most serious or annoying ones usually got investigated and fixed by “paid volunteers” from Red Hat. Red Hat and its new conglomerate owner, IBM, are *not* European.
Regardless, while I have no recollection of what LibreOffice looked like “out of the box” on my computers, black on dark-blue highlights is something I would *definitely* remember, since I would have been *unable to read* highlighted menu items. In fact, with the exception of custom toolbar buttons, I’m pretty sure I didn’t get around to “personalizing” my LO interface for at least a year after I began using it. If I *had* been confronted with black on dark blue, I would have personalized the interface on DAY ONE!
You didn’t say what OS you were running LO on, but my *guess* is that the default LO install picked up some color elements from your particular “OS theme” in an unhappy/unlucky way. The problem is almost certainly fixable by going through the LibreOffice Options submenus I mentioned earlier. Moreover, LO is a highly back- and forward-compatible program. We’re now at LibreOffice 7.x and the program still uses the same user-profile folder as LibreOffice 4, 5, and 6 did. In other words, unless and until LO switches to a new user-profile folder for some future major release, any personalizations you make are going to “stick” indefinitely with zero effort on your part. Another possibility is that you need to install the proper color-profile file (ICC or ICM file) for your monitor. And finally, maybe you need to get your eyes checked. I know I’m going to have to go in for cataract surgery (i.e., get artificial lens implants*) one of these days. Maybe you do, too.
*My 95-year-old dad got some fancy new multi-focal lens implants a few years back, and he now sees better *without* glasses than I do *with* glasses. In fact, he doesn’t even *need* glasses anymore. It’s infuriating! ;-)
@John G.:
It’s been so long since I “personalized” my LO interface that I have no recollection *whatsoever* of what the default color scheme for menus might have been, but if it’s black on dark-blue highlights for you, I empathize. I have early-stage cataracts, and black and dark blue are the *most difficult colors for me to distinguish*. (Runners-up? Purple and brown, at least in dim light, and medium blue on medium/dark brown … which just happens to be the inalterable fretboard color scheme in TuxGuitar. Young whippersnapper programmers with perfect vision sometimes forget to consider those of us not similarly gifted.)
But I digress. LibreOffice is now one of my programs that’s easiest on the eyes and easiest to read. I no longer remember *everything* I might have done to make it so, beyond selecting “Sand” as my “Preinstalled Theme” and “Sifr (SVG)” as my “Icon Style,” but I suggest you go to Tools > Options > LibreOffice and have a look at the Personalization, Application Colors, and Accessibility submenus (and the View submenu, too, if you want to try a different Icon Style). I have a very strong hunch I made no changes at all in the Application Colors submenu, since I’m generally allergic to that kind of item-by-item tweaking, and that I was able to get a highly legible interface with very little effort, so I’m guessing you should be able to as well.
As for Martin’s question, I use what used to be called the “Fresh” edition of LibreOffice, with the latest features and bug fixes but also with a higher potential for new bugs and regressions, and I update it pretty much as soon as SUMo tells me a final-release update is available. Since the days of LibreOffice 4.x, I can only recall two releases (out of *dozens*) that were problematic for me, and only one of those was problematic enough to make to make me revert to the previous release. Of course, every user uses different features and works on different kinds of documents, so some users may be better off using LibreOffice “Still” (which lags on new features but has been vetted for longer), or at a minimum holding off on updating for longer than I do.
At any rate, because I *am* a prompt updater, I’ve been protected from this vulnerability since early May of this year. I’m not sure I ever needed to worry, since the only macros I run are ones I’ve recorded and hacked myself, but I suppose I might have a downloaded template or two that has something naughty in it. And since I almost never use templates created by other people (even if I’ve downloaded them “just in case”), I probably didn’t need to worry about those, either.
I appreciate the article, Martin, and I hope John G. is able to make LO’s interface legible with minimal effort!
I like LibreOffice and I use it on my pc for personal stuff. I also have Office for work activities.
However, it’s been years and they still can’t provide an in place updater for Windows (Linux uses the system provided updater). The installer is not too big, but it always tries to change the file associations.
I’m using both Office suites as well.