Download of the secure example configuration for LibreOffice
LibreOffice and the related OpenOffice are among the few established office suites alongside products from Microsoft. The Document Foundation estimates that around 200 million users actively use LibreOffice. Office documents such as job applications, invoices and study papers often find their way to internal IT systems via the e-mail inbox. If these files contain macros or exploit vulnerabilities in the office suite, attackers can gain a foothold on our workstations. Thoughtful configuration of the office application can reduce the risk of a successful attack.
The BSI has been supporting administrators for some time with a guide for the secure configuration of Microsoft Office. A comparable document for LibreOffice has been missing until now.
OpenSource Security has developed a corresponding guide on behalf of the German Federal Office for Information Security (BSI). The document summarizes all important security settings and gives recommendations for a secure configuration of LibreOffice. The guide is available on the BSI website.
The document supports the user in creating a complementary XML configuration file for LibreOffice. The configuration can be easily installed and adapted to one’s own security needs. We provide a complete example file on our website. Instructions for installation and handling can be taken from the guide.
As part of the project, OpenSource Security has discovered four previously unknown vulnerabilities in LibreOffice. All vulnerabilities were reported to the Document Foundation and have since been fixed.
Due to the first vulnerability (CVE-2022-26305), an attacker can impersonate a trusted macro author. The macros security settings no longer work properly due to this flaw and malicious code can be executed. For a successful attack, however, at least one certificate from a trusted macro author must be stored in LibreOffice. In addition, a potential attacker must know the serial number of the stored certificate. In companies that protect themselves against malware using signed macros, this scenario is realistic and the vulnerability is a real danger.
Two further vulnerabilities (CVE-2022-26306, CVE-2022-26307) affect the security of the LibreOffice password safe. LibreOffice derives a weak key based on a supposedly strong master password and uses it to encrypt the password safe. The second flaw even allows parts of the stored passwords to be recovered without the master password at all. For the latter to succeed, the attacker must know or guess at least one of the stored passwords beforehand. In addition, the attacker needs access to the file in which the passwords are saved by LibreOffice.
The fourth vulnerability (CVE-2018-6871), the core of which has been known since 2018, allows an attacker to read file contents from the victim’s hard disk and transfer them to a web server via HTTP. Through the CSV import function of the spreadsheet application Calc, the content of an arbitrary file can be loaded into a table. In a second step, the contents of the table are transferred via HTTP using a formula function. The vulnerability can also be exploited if macros are disabled.
Those who work with LibreOffice should update the Office packages to the latest version. Versions 7.2.7 and 7.3.3 seal the vulnerabilities and can be downloaded from the LibreOffice website.
In addition, the resilience of LibreOffice can be improved by implementing the recommendations from the BSI guide. An attack via the four vulnerabilities described runs into the void by implementing the recommendations.