CVE-2021-25633 – This vulnerability allows attackers to create d... (How to Fix)

Q: What is the severity of CVE-2021-25633?

CVE-2021-25633 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to create digitally signed LibreOffice documents that appear valid but contain manipulated content unrelated to the displayed signature. By tampering with certificate data in document signature files, attackers can trick users into trusting malicious documents. This affects LibreOffice users running versions 7.0 prior to 7.0.6 and 7.1 prior to 7.1.2.

📋 TL;DR

This vulnerability allows attackers to create digitally signed LibreOffice documents that appear valid but contain manipulated content unrelated to the displayed signature. By tampering with certificate data in document signature files, attackers can trick users into trusting malicious documents. This affects LibreOffice users running versions 7.0 prior to 7.0.6 and 7.1 prior to 7.1.2.

💻 Affected Systems

Products:

LibreOffice

Versions: 7.0 versions prior to 7.0.6; 7.1 versions prior to 7.1.2

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using affected versions are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers distribute malicious documents that appear legitimately signed by trusted entities, leading to malware installation, data theft, or credential harvesting when users open them.

🟠

Likely Case

Phishing campaigns using seemingly legitimate signed documents to trick users into executing malicious macros or revealing sensitive information.

🟢

If Mitigated

Users verify document authenticity through additional channels, limiting damage to isolated incidents with minimal data exposure.

🌐 Internet-Facing: MEDIUM - Attackers can distribute malicious documents via email or web, but requires user interaction to open documents.

🏢 Internal Only: MEDIUM - Internal users could be tricked by malicious documents from compromised accounts or external sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires creating a malicious document but doesn't require special privileges. Attackers need to convince users to open the document.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LibreOffice 7.0.6 or 7.1.2

Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633

Restart Required: No

Instructions:

1. Download latest version from libreoffice.org. 2. Install over existing installation. 3. Verify version with 'libreoffice --version' (Linux) or Help > About (Windows/macOS).

🔧 Temporary Workarounds

Disable macro execution

all

Prevent malicious macros from running even if document is opened

Tools > Options > Security > Macro Security > Set to 'Very High' (disable all macros)

Use alternative office software

all

Temporarily use patched versions or alternative software for opening ODF documents

🧯 If You Can't Patch

Educate users to verify document authenticity through separate channels before trusting signatures
Implement email filtering to block ODF documents from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check LibreOffice version: On Linux/macOS run 'libreoffice --version', on Windows check Help > About. If version is 7.0.0-7.0.5 or 7.1.0-7.1.1, system is vulnerable.

Check Version:

libreoffice --version

Verify Fix Applied:

Confirm version is 7.0.6 or higher, or 7.1.2 or higher. Test by opening known good signed documents to ensure signature validation works properly.

📡 Detection & Monitoring

Log Indicators:

Multiple failed signature validations
Unexpected certificate combinations in document signatures

Network Indicators:

Unusual ODF document downloads from external sources
Documents with modified signatures.xml files

SIEM Query:

source="libreoffice" AND (event="signature_validation_failed" OR event="certificate_mismatch")

📊 Metadata

CVE ID: CVE-2021-25633

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-295

Published: October 11, 2021

Last Updated: November 21, 2024

🔗 References

https://www.debian.org/security/2021/dsa-4988 Third Party Advisory
https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633 Vendor Advisory
https://www.debian.org/security/2021/dsa-4988 Third Party Advisory
https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25633 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25633, you might also want to check these: