A severe security vulnerability affected two popular office tools LibreOffice and OpenOffice, allowing signature spoofing. Exploiting the bug would allow an adversary to spoof digital signatures in signed documents as a valid signature.
LibreOffice, OpenOffice Vulnerability Patched
Recently, a severe vulnerability threatening the validity of digital signatures caught attention as the vendors addressed it. Specifically, the vulnerability existed in OpenOffice and LibreOffice simultaneously, allowing signature spoofing.
OpenOffice is a now-discontinued open-source office suite, and LibreOffice is an open-source fork of it. Nonetheless, the maintainers of both tools have patched the bug that triggered the security risk.
Specifically, the vulnerability first caught the attention of researchers from Network and Data Security (NDS) at the Ruhr-University Bochum. The researchers from the same university have also detailed Shadow Attacks earlier this year that would allow meddling with the digitally signed PDF files.
This time, they found an improper certificate validation bug in both software. An adversary could spoof digital signatures in an ODF document via an invalid algorithm. Then, the software would present it as a valid signature from a trusted party after failing to recognize the invalid algorithm.
Real-time exploitation of such a flaw could allow signing sensitive documents falsely without detection.
Following the bug reports, both LibreOffice and OpenOffice officials started working to address the glitch. Consequently, they could fix the bug (recognized as CVE-2021-25635 for LibreOffice and CVE-2021-41832 for Apache OpenOffice) with the release of LibreOffice 7.0.5/7.1.1 and Apache OpenOffice 4.1.1.
While the patches are out, users might not receive the updates automatically. Hence, they have to manually download the latest versions of both tools to get the patches. Given the bug’s severity, users must ensure updating their devices with the latest patched versions at the earliest. Meanwhile, users must remain careful when interacting with digitally signed documents and shouldn’t trust the “trusted list” functionality.
Let us know your thoughts in the comments.