FreeBSD : Apache OpenOffice -- master password vulnerabilities (6678211c-bd47-11ed-beb0-1c1b0d9ea7e6)

high Nessus Plugin ID 172248

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 6678211c-bd47-11ed-beb0-1c1b0d9ea7e6 advisory.

- Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference:
CVE-2022-26306 - LibreOffice (CVE-2022-37400)

- Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice (CVE-2022-37401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?b3b3105a

http://www.nessus.org/u?5ef47d85

Plugin Details

Severity: High

ID: 172248

File Name: freebsd_pkg_6678211cbd4711edbeb01c1b0d9ea7e6.nasl

Version: 1.0

Type: local

Published: 3/7/2023

Updated: 3/7/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-37401

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:apache-openoffice, cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:apache-openoffice-devel

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 3/8/2023

Vulnerability Publication Date: 8/15/2022

Reference Information

CVE: CVE-2022-37400, CVE-2022-37401