Vulnerability in Apache OpenOffice and LibreOffice Could Allow Remote Code Execution

ITS Advisory Number: 
2015-046
Date(s) Issued: 
Monday, April 27, 2015
Subject: 
Vulnerability in Apache OpenOffice and LibreOffice Could Allow Remote Code Execution
Overview: 

A vulnerability has been discovered in LibreOffice and Apache OpenOffice which could allow for remote code execution. Both Apache OpenOffice and LibreOffice are open-source office productivity software suites that do word processing, spreadsheets, slideshows, diagrams and drawings, maintain databases, and compose mathematical formulae.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Apache OpenOffice 4.1.1 and prior
  • LibreOffice versions other than 4.3.7 and 4.4.2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A vulnerability in OpenOffice and LibreOffice Hangul Word Processor (HWP) filters has been confirmed by each vendor.  This vulnerability could be exploited by opening a specially crafted HWP formatted document (".hwp") via an e-mail attachment. When a user running a vulnerable version of the product opens a HWP document, malicious code could then be executed.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 

We recommend the following actions be taken:

  • LibreOffice users should update to the latest version of LibreOffice after appropriate testing.
  • OpenOffice is anticipating a fix in version 4.1.2, not yet released, but offers a workaround solution. Refer to the Apache OpenOffice advisory referenced below.
  • Run all software as a non-privileged user to diminish effects of a successful attack.
  • Remind users not to click links or open attachments from unknown sources, or to click links without verifying the intended destination.