Trending CVEs for the Week of February 4th, 2019
CVE-2019-1653 (Cisco Routers information disclosure), CVE-2018-16858 (LibreOffice directory traversal bug)
It has been a relatively slow week as we have not noticed any fresh new vulnerabilities surfacing to the top of the rankings in social media mentions – the two Cisco Small Business RV320 and RV325 routers vulnerabilities we covered in our last post (CVE-2019-1653 and CVE-2019-1652) are still the most talked about this week, despite no major new developments surrounding them. This is why we will shift a bit from our usual direction of analyzing the most mentioned vulnerability, and share some insight on the one that came in second in this week’s ranking – a directory traversal flaw in LibreOffice and OpenOffice software.
LibreOffice and OpenOffice are popular free, open-source alternative to Microsoft Office, used by millions of Windows, MacOS and Linux users (if curious about the history and the differences between the two, check out this article).
Security researcher Alex Inführ discovered and disclosed a way to achieve a remote code execution as soon as a user opens a malicious ODT (OpenDocument Text) file and moves the mouse over the document, without generating any warning dialog.
The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858 to automatically execute a specific python library bundled within the software using a hidden onmouseover event. This CVE has been assigned a CVSS V3 base score of 7.8, but is still marked as reserved according to MITRE and not published in the NVD. To exploit the vulnerability, Inführ created an ODT file with a white-colored hyperlink that has an onmouseover event to trick victims into executing a locally available Python file on their system when placing their mouse anywhere on the invisible hyperlink (and the link was covering the entire page to increase the chances of a user moving the mouse over and executing the payload!). According to the researcher, one of Python files that comes included with the LibreOffice’s own Python interpreter accepts arbitrary user-defined commands and executes them through the system’s command line or console.
- LibreOffice 6.1.0-18.104.22.168
- OpenOffice: 4.1.6 (most recent version)
Tested operating systems: Windows and Linux (by Inführ), macOS (by Tenable, after editing the Proof of Concept (PoC) code)
Exploitation and Risk
The researcher released the PoC exploit code for the vulnerability and reported it to both LibreOffice and Apache OpenOffice in October of 2018. LibreOffice fixed the issue by the end of that month with the release of the new version of LibreOffice. OpenOffice still appears to be vulnerable. RedHat assigned the path traversal vulnerability a CVE ID in November and advised the researcher not to disclose the details or PoC of the bug until the end of January of 2019. Inführ published a blog post detailing the PoC exploit code for the vulnerability on February 1st.
Apache OpenOffice 4.1.6 remains unpatched. Even though the original exploit code does not work on it, the path traversal can be abused to execute a Python script from another location on the local file system.
According to Tenable, while this vulnerability does require user interaction, an OpenDocument Text (ODT) file containing a malicious URL is not likely to be flagged by most corporate security defenses: There isn’t any malicious code or otherwise altered elements to the document. It wouldn’t be seen as malware, and the text can be changed to the same color as the document background to make it invisible to the average user. They have developed plugins to identify the vulnerability.
- LibreOffice addressed this vulnerability with the release of LibreOffice 22.214.171.124, and upgrading to that version or later should mitigate the vulnerability.
- As a workaround for OpenOffice, users can remove or rename the pythonscript.py file in the installation folder to disable the support for python.
Share your thought in our community!