Patch included in LibreOffice 6.0.7 and 6.1.3 and newer

Feb 6, 2019 09:43 GMT  ·  By

A Remote Code Execution (RCE) vulnerability was discovered in LibreOffice on Windows and Linux, and users are now recommended to update to the latest versions, as patches have already been issued.

Discovered by security researcher Alex Inführ, the flaw can be exploited with just a malicious ODT document that includes code for running a macro with a mouse-hover action.

In an analysis of the vulnerability on his blog, Inführ explains that both Windows and Linux versions of LibreOffice are affected, and successful exploits have been tested on version 6.1.2.1.

The Document Foundation acknowledged the bug in CVE-2018-16858, adding that the flaw is already resolved in LibreOffice 6.0.7 and 6.1.3, so installing a newer version should technically keep users protected.

“Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was possible to craft a document which when opened by LibreOffice would, when such common document events occur, execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location,” TDF notes.

OpenOffice vulnerable too

While the vulnerability has already been resolved in LibreOffice, it looks like other Office productivity suites are affected as well, including OpenOffice. According to BP, OpenOffice is still unpatched right now, with no ETA as to when a fix could be shipped.

The security researcher confirms that OpenOffice 4.1.6 is the one vulnerable to attacks and the parent company acknowledged the issue, only that no known release date is available just yet.

“I reconfirmed via email that I am allowed to publish the details of the vulnerability although openoffice is still unpatched. Openoffice does not allow to pass parameters therefore my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system,” the researcher notes.

Users are thus recommended to update to the latest version of LibreOffice as soon as possible, while those using OpenOffice should try to stay away from documents coming from untrusted sources as much as possible.