The Apache Software Foundation fixed four vulnerabilities Friday tied to its popular Apache OpenOffice suite of free productivity applications. The patches are for the suite’s word processing and graphics apps. Each of the vulnerabilities are rated medium in severity.
Three of the four bugs patched are out-of-bound vulnerabilities that if exploited could allow for arbitrary code execution. Each three of these bugs were found by Cisco Talos, which alerted The Apache Software Foundation of its discovery in March.
On Thursday, Apache Software Foundation publicly acknowledged the bugs, affecting OpenOffice 4.1.3, and offered a 4.1.4 update to the office suite which fixes the problems.
Each of the out-of-bound vulnerabilities (CVE-2017-9806, CVE-2017-12607, CVE-2017-12608) are related, in that each allows an adversary to compromise systems via malicious office documents that, upon opening, attack the host system. This is a common problem, which has also plagued Microsoft and its Office suite of productivity apps.
One of the OpenOffice vulnerabilities (CVE-2017-9806) found by Talos allows an attacker to create a malicious font that can lead to an out of bound write vulnerability, which triggers the remote code execution event.
“The vulnerability is in the WW8Fonts::WW8Fonts class of the OpenOffice word processor application. An attacker can build a malicious .doc (Microsoft Word Binary File Format) file with a specially crafted malicious font,” wrote Marcin Noga, the Cisco Talos researcher credited for finding each of the out-of-bound vulnerabilities.
The second vulnerability (CVE-2017-12608) Noga said exists in the ‘WW8RStyle::ImportOldFormatStyles’ functionality of OpenOffice used for document creation. “A specially crafted doc file will cause an out of bound write and result in arbitrary code execution locally on the victim’s machine in the same context of the current running user,” the researcher said.
Another vulnerability (CVE-2017-12607) is in OpenOffice’s Draw application used to create .PPT formatted files. The out of bound write vulnerability exists in the ‘PPTStyleSheet:PPTStyleSheet’ functionality, explains Noga.
“An attacker can create a specifically crafted PPT file which exploits this vulnerability causing an out of bound write and resulting in arbitrary code execution locally on the victim’s machine in the context of the current user,” said the Talos researcher.
Researcher Ben Hayak, product security lead at Salesforce, is credited for finding the fourth vulnerability (CVE-2017-3157) in OpenOffice’s word processor application. It was also patched Friday.
“By exploiting the way OpenOffice renders embedded objects, an attacker could craft a document that allows reading in a file from the user’s filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to send the document back to the attacker,” wrote OpenOffice in an advisory posted Friday.
According to The Apache OpenOffice Advisories posted Friday, none of the four vulnerabilities are known to have been exploited. Mitigation in all cases is to install Apache OpenOffice 4.1.4.