Two vital vulnerabilities in LibreOffice (CVE-2024-12425 and CVE-2024-12426) expose tens of millions of customers to file system manipulation and delicate knowledge extraction assaults.
These flaws have an effect on each desktop customers opening malicious paperwork and server-side techniques utilizing LibreOffice for headless doc processing.
CVE-2024-12425: Path Traversal Permits Arbitrary File Writes
The primary vulnerability stems from improper path sanitization when dealing with embedded fonts in OpenDocument XML information.
Attackers can craft paperwork containing malicious font declarations that escape LibreOffice’s momentary listing by means of path traversal sequences, as CodeanLabs reviews.
The vital code flaw resides in EmbeddedFontsHelper::fileUrlForTemporaryFont, the place user-controlled fontName values aren’t sanitized earlier than establishing file paths:
OUString EmbeddedFontsHelper::fileUrlForTemporaryFont(const OUString& fontName) {
// ...
path += "/person/temp/embeddedfonts/fromdocs/";
return path + filename; // FontName accommodates unsanitized enter
}An attacker might exploit this by embedding a font declaration containing listing traversal sequences:
SGVsbG8gd29ybGQ...
This writes the decoded binary knowledge to /and so forth/passwd0.ttf regardless of the .ttf extension limitation.
Server-side installations are notably weak as attackers might overwrite net software information or configuration scripts.
CVE-2024-12426: Variable Growth Permits Information Exfiltration
The second vulnerability entails LibreOffice’s dealing with of the vnd.solar.star.increase URI scheme, which helps surroundings variable substitution and INI file parsing. Attackers can craft paperwork that leak delicate data by means of manipulated URLs:
The enlargement mechanism helps recursive lookups, enabling complicated knowledge extraction chains:
This permits studying Thunderbird profiles, SQLite databases, and software secrets and techniques saved in surroundings variables. In a single demonstrated assault, hackers might intercept WordPress password reset tokens from e mail shoppers by combining a number of enlargement steps.
LibreOffice launched patches addressing these vulnerabilities in variations:
- 7.5.9 (Neighborhood)
- 7.6.5 (Neighborhood)
- 24.2.2 (Enterprise)
These vulnerabilities spotlight the dangers of complicated doc processing ecosystems, notably when combining user-controlled content material with legacy file format assist.
Enterprises should preserve rigorous patch administration cycles for workplace software program parts, even in server environments.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup - Strive for Free