Headline
CVE-2022-26306: CVE-2022-26306 | LibreOffice - Free Office Suite - Based on OpenOffice
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
Discover
Download
Get Help
Improve it
Events
About Us
Donate
About Us /
Security /
Security Advisories /
CVE-2022-26306
CVE-2022-26306
Title: Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password
Announced: July 25, 2022
Fixed in: LibreOffice 7.2.7/7.3.3
Description:
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.
A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data.
In versions >= 7.2.7 (and >= 7.3.3) unique initialization vectors are used when the passwords are stored and the user is prompted via an infobar to reenter their master password in order to reencrypt old existing vulnerable stored config data if it exists.
Credits:
- OpenSource Security GmbH on behalf of the German Federal Office for Information Security
Related news
Red Hat Security Advisory 2023-0089-01 - LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. Issues addressed include a script execution vulnerability.
Ubuntu Security Notice 5694-1 - It was discovered that LibreOffice incorrectly handled links using the Office URI Schemes. If a user were tricked into opening a specially crafted document, a remote attacker could use this issue to execute arbitrary scripts. Thomas Florian discovered that LibreOffice incorrectly handled crashes when an encrypted document is open. If the document is recovered upon restarting LibreOffice, subsequent saves of the document were unencrypted. This issue only affected Ubuntu 18.04 LTS.
Ubuntu Security Notice 5661-1 - It was discovered that LibreOffice incorrectly validated macro signatures. If a user were tricked into opening a specially crafted document, a remote attacker could possibly use this issue to execute arbitrary macros. It was discovered that Libreoffice incorrectly handled encrypting the master key provided by the user for storing passwords for web connections. A local attacker could possibly use this issue to obtain access to passwords stored in the user's configuration data.
The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems. Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of