LibreOffice is a free and open-source office productivity software suite, a project of The Document Foundation. It was forked in 2010 from OpenOffice.org, an open-sourced version of the earlier StarOffice. The company has published a advisory of a critical vulnerability in its office product.
Macro URL arbitrary script execution : CVE-ID: CVE-2022-3140
Description
The flaw enables a remote adversary to run any shell commands they choose on the victim machine.
The flaw is caused by incorrect input verification during the “vnd.libreoffice.command'” URI scheme parameter parsing process. By creating a specially constructed document and deceiving the target into opening it, a remote adversary can run internal macros with any parameters.
This vulnerability may be totally exploited, which would compromise the system.
Mitigation
Install updates from Libreoffice webiste for these vulnerable software versions
LibreOffice: 7.4.0.1 – 7.4.0.3, 7.3.5.1 – 7.3.5.2, 7.3.4.1 – 7.3.4.2, 7.3.3.1 – 7.3.3.2, 7.3.2.1 – 7.3.2.2, 7.3.1.1 – 7.3.1.3, 7.3.0.1 – 7.3.0.3
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.