Digital Signature Spoofing Flaws Uncovered in OpenOffice and LibreOffice

Digital Signature Spoofing

The maintainers of LibreOffice and OpenOffice have shipped safety updates to their productiveness software program to remediate a number of vulnerabilities that could possibly be weaponized by malicious actors to change paperwork to make them seem as if they’re digitally signed by a trusted supply.

The checklist of the three flaws is as follows —

Profitable exploitation of the vulnerabilities may allow an attacker to manipulate the timestamp of signed ODF paperwork, and worse, alter the contents of a doc or self-sign a document with an untrusted signature, which is then tweaked to alter the signature algorithm to an invalid or unknown algorithm.

Automatic GitHub Backups

In each the latter two assault eventualities — stemming on account of improper certificates validation — LibreOffice incorrectly shows a validly signed indicator suggesting that the doc hasn’t been tampered with since signing and presents a signature with an unknown algorithm as a professional signature issued by a trusted get together.

The weaknesses have been fastened in OpenOffice version 4.1.11 and LibreOffice variations 7.0.5, 7.0.6, 7.1.1 in addition to 7.1.2. The Chair for Community and Knowledge Safety (NDS) on the Ruhr-College Bochum has been credited with discovering and reporting all three points.

The findings are the newest in a collection of flaws uncovered by the Ruhr-College Bochum researchers and comply with similar attack techniques disclosed earlier this yr that would probably allow an adversary to switch a licensed PDF doc’s seen content material by displaying malicious content material over the certified content material with out invalidating its signature.

Customers of LibreOffice and OpenOffice are suggested to replace to the newest model to mitigate the chance related to the issues.

Source link