The version of libreoffice installed on the remote host is prior to 5.3.6.1-21. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2LIBREOFFICE-2023-002 advisory.

    LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on     various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a     programmable turtle vector graphics script, which can be manipulated into executing arbitrary python     commands. By using the document event feature to trigger LibreLogo to execute python contained within a     document a malicious document could be constructed which would execute arbitrary python commands silently     without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9848)

    LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to     retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to     disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet     graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation     LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

    LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a     feature where documents can specify that pre-installed scripts can be executed on various document script     events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo     from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed     malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

    LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. Protection was added,     to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over.
    However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can     be executed on various global script events such as document-open, etc. In the fixed versions, global     script event handlers are validated equivalently to document script event handlers. This issue affects:
    Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9851)

    LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed. However this new protection could be bypassed by a URL     encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded     before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
    (CVE-2019-9852)

    LibreOffice documents can contain macros. The execution of those macros is controlled by the document     security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in     how the urls to the macros within the document were processed and categorized, resulting in the     possibility to construct a document where macro execution bypassed the security settings. The documents     were correctly detected as containing macros, and prompted the user to their existence within the     documents, but macros within the document were subsequently not controlled by the security settings     allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
    LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

    LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed by employing a URL encoding attack to defeat the path     verification step. However this protection could be bypassed by taking advantage of a flaw in how     LibreOffice assembled the final script URL location directly from components of the passed in path as     opposed to solely from the sanitized output of the path verification step. This issue affects: Document     Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : libreoffice (ALASLIBREOFFICE-2023-002)

critical Nessus Plugin ID 182035

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.2 Oct 2, 2023, 6:07 PM IAVM reference Plugin Feed: 202310021807
Version 1.1 Sep 28, 2023, 4:12 PM Exploit attributes ("Exploit framework core" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available". "Exploited by malware" set to "True") Plugin Feed: 202309281612
Version 1.0 Sep 27, 2023, 10:33 PM New Plugin Feed: 202309272233