Multiple Vulnerabilities in Apache OpenOffice Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-108
Date(s) Issued: 
Friday, October 27, 2017
Subject: 
Multiple Vulnerabilities in Apache OpenOffice Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in OpenOffice, which could allow for arbitrary code execution. OpenOffice is an open-source productivity software suite that contains a word processor, spreadsheet application, presentation application, drawing application, formula editor, and a database management application. Successfully exploiting these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

Systems Affected: 
  • Apache OpenOffice prior to 4.1.4
RISK
GOVERNMENT
Large and medium government entities: 
Low
Small government entities: 
High
BUSINESS
Large and medium business entities: 
Low
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Apache OpenOffice, which could allow for arbitrary code execution. Details regarding these vulnerabilities are as below:

  • A vulnerability in the OpenOffice Writer DOC file parser, specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. (CVE-2017-9806)
  • A vulnerability in OpenOffice's PPT file parser, specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. (CVE-2017-12607)
  • A vulnerability in OpenOffice Writer DOC file parser, specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution. (CVE-2017-12608)

Successfully exploiting these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately upgrade to the latest version of OpenOffice.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to open emails, download attachments, or follow links provided by unknown or untrusted sources.