On Oct 11, LibreOffice rolled out security updates to fix new digital signature spoofing vulnerabilities in the LibreOffice suite. Let’s see the impact of Digital Signature Spoofing attacks and how to fix the three new digital signature spoofing vulnerabilities in LibreOffice tracked as CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635.
Table of Contents
Summary Of The New Digital Signature Spoofing Vulnerabilities In LibreOffice:
Total three vulnerabilities were recently discovered on LibreOffice, which could be used to manipulate the content of the document to make them appear as they are digitally signed by a trusted source.
- CVE-2021-25633 Content Manipulation with Double Certificate Attack
- CVE-2021-25634 Timestamp Manipulation with Signature Wrapping Attack
- CVE-2021-25635 Content Manipulation with Certificate Validation Attack
#1. CVE-2021-25633:
LibreOffice supports digital signatures of ODF documents to retain the integrity of the document. This feature confirms the receepient of the document that no alteration has occurred since the last signing.
This vulnerability allows attackers to manipulate content to carry out a Double Certificate Attack. An attacker could leverage this CVE-2021-25633 Double Certificate vulnerability to manipulate the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, making the document appear as the document is digitally signed with a trusted certificate.
This vulnerability has been fixed in LibreOffice 7.0.6/7.1.2
#2. CVE-2021-25634:
This vulnerability allows attackers to manipulate timestamps to carry out the Signature Wrapping Attack. An attacker could leverage this CVE-2021-25634 Signature Wrapping vulnerability to insert an additional signing time timestamp, making an invalid or expired certificate appear as a valid one.
This vulnerability has been fixed in LibreOffice 7.0.6/7.1.2
#3. CVE-2021-25635:
This vulnerability allows attackers to manipulate content to carry out the Certificate Validation Attack. An attacker could leverage this CVE-2021-25633 Certificate Validation vulnerability to sign an ODF document with a self-signed certificate or a certificate issued by an untrusted certificate authority, and then the attacker would change the signature algorithm with an invalid algorithm. This allows attackers to incorrectly present a signature with an unknown algorithm as a valid signature issued by a trusted party.
This vulnerability has been fixed in LibreOffice v7.0.5/7.1.1.
How To Fix Digital Signature Spoofing Vulnerabilities In LibreOffice?
All the three vulnerabilities CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635, can be fixed by upgrading to LibreOffice to 7.1.2. It is always a good practice to upgrade applications to the latest stable version. Let see how to upgrade LibreOffice to v 7.2.1.2.
Time needed: 5 minutes.
How to upgrade LibreOffice to the latest version?
- Verify the version of LibreOffice on your Ubuntu or Linux Mint
Run this command to check the version of LibreOffice.
$ LibreOffice –version
- LibreOffice version info
- Add PPA repository of LibreOffice and update the cache
Run this command to add the PPA repository of LibreOffice and update the cache on Ubuntu or Linux Mint.
$ sudo add-apt-repository ppa:libreoffice/ppa && sudo apt update
- Install LibreOffice from PPA on Ubuntu or Linux Mint
Install the latest version of LibreOffice on Ubuntu.
$ sudo apt install libreoffice
- Verify the version information of LibreOffice after upgradation
Run this command on CLI to check the version information of LibreOffice.
$ LibreOffice –version
- LibreOffice version info after the upgrade
We hope this post will help you in fixing the three new digital signature spoofing vulnerabilities in LibreOffice tracked as CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635.
Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270057.html