Millions of LibreOffice users are at risk due to two critical vulnerabilities in the popular open-source office suite, CVE-2024-12425 and CVE-2024-12426, which expose them to file system manipulation and sensitive data extraction attacks.
These vulnerabilities not only affect desktop users who may inadvertently open malicious documents but also pose a threat to server-side systems that use LibreOffice for headless document processing.
The first vulnerability, CVE-2024-12425, is a result of improper path sanitization in handling embedded fonts in OpenDocument XML files. Attackers can exploit this flaw by crafting documents with malicious font declarations that escape LibreOffice’s temporary directory through path traversal sequences. The vulnerability lies in the EmbeddedFontsHelper::fileUrlForTemporaryFont function, where user-controlled fontName values are not properly sanitized before constructing file paths, leaving room for exploitation.
By embedding a font declaration containing directory traversal sequences, an attacker can write decoded binary data to system files, potentially overwriting important web application files or configuration scripts on server-side installations.
The second vulnerability, CVE-2024-12426, involves LibreOffice’s handling of the vnd.sun.star.expand URI scheme, which supports environment variable substitution and INI file parsing. Attackers can leverage this vulnerability to craft documents that leak sensitive information through manipulated URLs. The expansion mechanism allows for recursive lookups, enabling complex data extraction chains that could compromise various types of data, including Thunderbird profiles, SQLite databases, and application secrets stored in environment variables.
LibreOffice has released patches addressing these vulnerabilities in versions 7.5.9 and 7.6.5 for the Community edition, as well as version 24.2.2 for the Enterprise edition. These patches are crucial in mitigating the risks posed by these vulnerabilities, emphasizing the importance of maintaining rigorous patch management cycles for office software components, especially in server environments. Enterprises are advised to promptly update their LibreOffice installations to protect against potential exploitation.
These vulnerabilities underscore the inherent risks associated with complex document processing ecosystems, particularly when dealing with legacy file formats and user-controlled content. It is essential for users and organizations to remain vigilant and proactive in addressing security vulnerabilities in their software to prevent potential cyberattacks and data breaches.