A security researcher has disclosed a severe remote code execution bug in open source software versions of LibreOffice and Apache OpenOffice. One of the two have been patched, the other is still vulnerable.
The researcher, Alex Inführ, discovered the vulnerability (CVE-2018-16858) back in October of 2018 and was fixed in LibreOffice by the end of the same month. However, OpenOffice still had not been patched at the time of the vulnerability disclosure.
“I started to have a look at Libreoffice and discovered a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves his mouse over the document, without triggering any warning dialog,” Inführ noted in a recent blog post.
Inführ described in detail how he found the vulnerability and provided a proof of concept (PoC) with accompanying video. He also commented that the vulnerability impacts both Linux and Windows.
Red Hat published a security advisory for the patch on February 1, 2019:
“It was found that libreoffice was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.”
Prior to 6.0.7/6.1.3 LibreOffice versions were impacted by the vulnerability.
The patched versions fix the relative directory flaw, whereby access is restricted to scripts under the share/Scripts/python and user/Scripts/python sub-directories of the LibreOffice install.