Latest LibreOffice Release Fixes Several Macro and Password Vulnerabilities

LibreOffice’s latest update addressed several vulnerabilities related to macro execution and web connection password protection. Developers included the patches in both stable (version 7.2) and unstable (version 7.3) channels of the product.

The latest release fixed three significant security flaws:

• CVE-2022-26305: Improper Certificate Validation vulnerability; could lead to the execution of macros not signed by a trusted certificate
• CVE-2022-26306: Static Initialization Vector vulnerability; could allow attackers to recover web connection passwords without knowing the master password
• CVE-2022-26307: Weak Master Keys vulnerability; poor encoding of master key (from 128-bit to 43-bit) left stored passwords vulnerable to brute-forcing

LibreOffice encompasses macro execution support and, by default, only allows users to run them if they’re signed by a trusted certificate or stored in a trusted file location. The app performs a cross-check to determine a certificate’s legitimacy and denies the macro execution if no matches are found.

Attackers could easily replicate a valid certificate from the user’s configuration database to circumvent this protection feature. LibreOffice versions 7.2.7 respectively 7.3.2 and later are no longer vulnerable to the Improper Certificate Validation flaw, as the feature was amended.

It’s worth noting that the CVE-2022-26305 flaw can’t be exploited if the user has no trusted certificates in their database or if their macro security level is set to “very high.” To review or change your macro security settings, follow these steps:

1. Open the Tools menu
2. Launch the Options screen
3. Collapse the LibreOffice menu
4. Select the Security submenu
5. Click the Macro Security… button
6. On the Security Level tab, set the level to Very High
7. Click OK, Apply, then OK to save your configuration

The second flaw, tracked as CVE-2022-26306, weakened the master key’s encryption by using the same initialization vector. Perpetrators with access to the user’s configuration database could decrypt the master key. LibreOffice’s latest release implemented unique initialization vectors to strengthen encryption. Furthermore, the app now requires users to input their master password to re-encrypt old, vulnerable stored configuration data.

Finally, the third security flaw involved poor encoding that left master keys vulnerable to brute-forcing by lowering their entropy from 128-bit to 43-bit. As before, this flaw could only be exploited if the perpetrator had access to the user’s configuration database. The vulnerability has been patched for versions 7.2.7 (stable), 7.3.2 (unstable), and newer.

Microsoft also sought to curb macro-based attacks by disabling VBA macros by default in several of its products. While the tech giant went back and forth with its decision, it seems to have settled that turning off macros in the Office suite seems to be the better choice.