Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
Two critical security vulnerabilities have been discovered in LibreOffice, one of the popular office software applications. LibreOffice is a widely used free and open-source office suite that includes word processing, spreadsheet, and presentation applications. The vulnerability identified with the code CVE-2019-9848 is found in the LibreLogo component that ships with LibreOffice and uses turtle vector graphics. The CVE-2019-9849 vulnerability, on the other hand, stems from LibreOffice’s remote content insertion feature.
The vulnerability identified as CVE-2019-9848 resides in the LibreLogo component included with LibreOffice. LibreLogo is a programmable turtle vector graphics script that, by design, can execute Python code. The problem causing this vulnerability arises from the fact that internal LibreLogo code is not properly translated into Python code. This means that a specially crafted document can be used to execute arbitrary Python code on the victim’s system.
The critical aspect of this vulnerability is that it can be triggered without any user interaction — simply opening or hovering over a malicious document can cause the malicious Python code to execute. The attacker can instruct the macro to run automatically via events such as mouse-over or OnFocus. No warning is displayed to the user at any stage. Researcher Nils Emmerich, who discovered this vulnerability, also published a proof-of-concept demonstrating code execution without requiring mouse interaction, using the OnFocus event.
LibreOffice has a “stealth mode” that prevents the application from fetching remote resources — such as images or graphics — from untrusted locations without user knowledge. However, it was discovered that this protection did not apply to “bullet” graphics used in presentation documents. Even when stealth mode was enabled, these graphics could be retrieved from remote locations, potentially revealing the victim’s IP address to the attacker who controls the server hosting the resource.
This vulnerability could be exploited to track users — for example, an attacker could embed a remotely hosted bullet graphic in a document and monitor connection requests to determine when and from which IP address the document was opened.
An attacker who crafts a malicious document and sends it to a victim can exploit CVE-2019-9848 to execute arbitrary code on the victim’s machine simply by having the document opened in a vulnerable version of LibreOffice. This could lead to full system compromise, data theft, or the installation of malware.
CVE-2019-9849 can be used to perform remote tracking by revealing the victim’s IP address when they open a document, even if stealth mode has been enabled to prevent such activity.
LibreOffice versions prior to 6.2.5 and 6.3.0 beta2 are affected by these vulnerabilities.
LibreOffice users are advised to update to version 6.2.5 or later as soon as possible to protect against these vulnerabilities. In the updated versions, the LibreLogo component has been disabled by default and can only be run with explicit user confirmation. The remote content fetching behaviour in stealth mode has also been corrected to prevent the retrieval of remote bullet graphics without authorisation.
Users who cannot immediately apply the update can reduce their risk by disabling the LibreLogo component through LibreOffice settings, and by being cautious about opening documents from untrusted sources.
You May Be Interested In These
