The Weak Master Keys vulnerability affects master passwords in LibreOffice.
Users are prompted by the application to reenter their master password to re-encrypt old configuration data that has been stored using the encryption weakness. The newer versions use unique initialization vectors when master passwords are created and stored. The issue was fixed in LibreOffice 7.2.7 and 7.3.3 and later. LibreOffice used the same "initialization vector for encryption", which weakened the security of the encryption, provided that an attacker has access to the user's configuration data. The passwords are encrypted with a master password that users set manually.Ī vulnerability was found in LibreOffice that could allow malicious actors to retrieve passwords stored by the Office suite. LibreOffice users may save passwords in the configuration database that LibreOffice may use for web connections. Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password Use this setting only if you are certain that all documents that will be opened are safe.
LibreOffice could then allow the execution of macros that are not signed using the trusted certificate this could lead to the execution of arbitrary code on the system using macros that are not trusted.
LibreOffice matched "the serial number and issuer string of the used certificate with that of a trusted certificate" only, which is insufficient.Īn attacker could create an arbitrary certificate that matches the serial number and issuer string of a trusted certificate that LibreOffice uses. Security researchers detected an issue in the certification validation algorithm that LibreOffice uses. The macro is executed if a matching certificate is found, and blocked otherwise. When a document contains macros, LibreOffice attempts to match the certificate to the list of trusted certificates.
LibreOffice maintains a list of trusted certificates that are stored in the user's configuration database. LibreOffice supports the execution of macros, but limits the execution to macros to documents that are either stored in a trusted file location or are signed by a trusted certificate. CVE-2022-26306 - Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master PasswordĮxecution of Untrusted Macros Due to Improper Certificate Validation.CVE-2022-26305 - Execution of Untrusted Macros Due to Improper Certificate Validation.