CentOS 7 : libreoffice (RHSA-2020:1151)

critical Nessus Plugin ID 135347

Synopsis

The remote CentOS Linux host is missing one or more security updates.

Description

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory.

- LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9848)

- LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

- LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

- LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over.
However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects:
Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9851)

- LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
(CVE-2019-9852)

- LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

- LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://access.redhat.com/errata/RHSA-2020:1151

Plugin Details

Severity: Critical

ID: 135347

File Name: centos_RHSA-2020-1151.nasl

Version: 1.5

Type: local

Agent: unix

Published: 4/10/2020

Updated: 10/9/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9851

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:centos:centos:libreoffice-help-pt-br, p-cpe:/a:centos:centos:libreoffice-help-gu, p-cpe:/a:centos:centos:libreoffice-wiki-publisher, p-cpe:/a:centos:centos:libreoffice-help-si, p-cpe:/a:centos:centos:libreoffice-core, p-cpe:/a:centos:centos:libreoffice-gtk3, p-cpe:/a:centos:centos:libreoffice-help-bn, p-cpe:/a:centos:centos:libreoffice-help-ja, p-cpe:/a:centos:centos:autocorr-sk, p-cpe:/a:centos:centos:libreoffice-help-sk, p-cpe:/a:centos:centos:libreoffice-math, p-cpe:/a:centos:centos:libreoffice-help-ca, p-cpe:/a:centos:centos:libreoffice-help-cs, p-cpe:/a:centos:centos:libreoffice-help-da, p-cpe:/a:centos:centos:autocorr-da, p-cpe:/a:centos:centos:libreoffice-help-ta, p-cpe:/a:centos:centos:libreoffice-draw, p-cpe:/a:centos:centos:libreoffice-ogltrans, p-cpe:/a:centos:centos:libreofficekit, p-cpe:/a:centos:centos:libreoffice-rhino, p-cpe:/a:centos:centos:libreoffice-help-eu, p-cpe:/a:centos:centos:libreoffice-pdfimport, p-cpe:/a:centos:centos:libreoffice-help-ar, p-cpe:/a:centos:centos:autocorr-ko, p-cpe:/a:centos:centos:libreoffice-calc, p-cpe:/a:centos:centos:libreoffice-help-sv, p-cpe:/a:centos:centos:libreoffice-sdk, p-cpe:/a:centos:centos:autocorr-pl, p-cpe:/a:centos:centos:autocorr-es, p-cpe:/a:centos:centos:libreoffice-base, p-cpe:/a:centos:centos:libreoffice-help-hr, p-cpe:/a:centos:centos:autocorr-lb, p-cpe:/a:centos:centos:libreoffice-ure, p-cpe:/a:centos:centos:libreoffice-help-lt, p-cpe:/a:centos:centos:libreoffice-gdb-debug-support, p-cpe:/a:centos:centos:autocorr-ga, p-cpe:/a:centos:centos:libreoffice-help-he, p-cpe:/a:centos:centos:autocorr-tr, p-cpe:/a:centos:centos:autocorr-fi, p-cpe:/a:centos:centos:libreoffice-officebean, p-cpe:/a:centos:centos:libreoffice-gtk2, p-cpe:/a:centos:centos:libreoffice-help-es, p-cpe:/a:centos:centos:libreoffice-help-et, p-cpe:/a:centos:centos:autocorr-it, p-cpe:/a:centos:centos:libreoffice-postgresql, p-cpe:/a:centos:centos:autocorr-hr, p-cpe:/a:centos:centos:autocorr-zh, p-cpe:/a:centos:centos:libreoffice-help-id, p-cpe:/a:centos:centos:libreoffice-help-nn, p-cpe:/a:centos:centos:libreoffice-help-dz, p-cpe:/a:centos:centos:libreoffice-help-uk, p-cpe:/a:centos:centos:libreofficekit-devel, p-cpe:/a:centos:centos:autocorr-lt, p-cpe:/a:centos:centos:libreoffice-glade, p-cpe:/a:centos:centos:libreoffice-help-ko, p-cpe:/a:centos:centos:autocorr-de, p-cpe:/a:centos:centos:libreoffice-help-gl, p-cpe:/a:centos:centos:libreoffice-help-el, p-cpe:/a:centos:centos:autocorr-sr, p-cpe:/a:centos:centos:libreoffice-writer, p-cpe:/a:centos:centos:autocorr-ja, p-cpe:/a:centos:centos:autocorr-nl, p-cpe:/a:centos:centos:autocorr-af, p-cpe:/a:centos:centos:libreoffice, p-cpe:/a:centos:centos:libreoffice-xsltfilter, p-cpe:/a:centos:centos:libreoffice-help-tr, p-cpe:/a:centos:centos:libreoffice-nlpsolver, p-cpe:/a:centos:centos:libreoffice-opensymbol-fonts, p-cpe:/a:centos:centos:autocorr-bg, p-cpe:/a:centos:centos:libreoffice-help-fi, p-cpe:/a:centos:centos:libreoffice-help-ro, p-cpe:/a:centos:centos:autocorr-cs, p-cpe:/a:centos:centos:libreoffice-bsh, p-cpe:/a:centos:centos:libreoffice-help-pt-pt, p-cpe:/a:centos:centos:autocorr-is, p-cpe:/a:centos:centos:libreoffice-help-bg, p-cpe:/a:centos:centos:libreoffice-help-de, p-cpe:/a:centos:centos:libreoffice-help-ru, p-cpe:/a:centos:centos:autocorr-sl, p-cpe:/a:centos:centos:libreoffice-help-zh-hant, cpe:/o:centos:centos:7, p-cpe:/a:centos:centos:libreoffice-impress, p-cpe:/a:centos:centos:autocorr-mn, p-cpe:/a:centos:centos:libreoffice-help-nb, p-cpe:/a:centos:centos:libreoffice-help-nl, p-cpe:/a:centos:centos:libreoffice-data, p-cpe:/a:centos:centos:libreoffice-pyuno, p-cpe:/a:centos:centos:libreoffice-help-it, p-cpe:/a:centos:centos:libreoffice-help-hi, p-cpe:/a:centos:centos:libreoffice-filters, p-cpe:/a:centos:centos:libreoffice-ure-common, p-cpe:/a:centos:centos:libreoffice-sdk-doc, p-cpe:/a:centos:centos:autocorr-ca, p-cpe:/a:centos:centos:autocorr-fr, p-cpe:/a:centos:centos:autocorr-fa, p-cpe:/a:centos:centos:autocorr-hu, p-cpe:/a:centos:centos:libreoffice-officebean-common, p-cpe:/a:centos:centos:libreoffice-help-hu, p-cpe:/a:centos:centos:autocorr-en, p-cpe:/a:centos:centos:autocorr-ru, p-cpe:/a:centos:centos:libreoffice-help-lv, p-cpe:/a:centos:centos:libreoffice-langpack-en, p-cpe:/a:centos:centos:libreoffice-x11, p-cpe:/a:centos:centos:libreoffice-emailmerge, p-cpe:/a:centos:centos:libreoffice-librelogo, p-cpe:/a:centos:centos:libreoffice-help-fr, p-cpe:/a:centos:centos:autocorr-vi, p-cpe:/a:centos:centos:autocorr-pt, p-cpe:/a:centos:centos:libreoffice-help-pl, p-cpe:/a:centos:centos:autocorr-ro, p-cpe:/a:centos:centos:libreoffice-graphicfilter, p-cpe:/a:centos:centos:libreoffice-help-zh-hans, p-cpe:/a:centos:centos:libreoffice-help-sl, p-cpe:/a:centos:centos:autocorr-sv

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/CentOS/release, Host/CentOS/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/8/2020

Vulnerability Publication Date: 7/17/2019

Exploitable With

Core Impact

Metasploit (LibreOffice Macro Python Code Execution)

Reference Information

CVE: CVE-2019-9848, CVE-2019-9849, CVE-2019-9850, CVE-2019-9851, CVE-2019-9852, CVE-2019-9853, CVE-2019-9854

RHSA: 2020:1151