CVE-2021-25634 – LibreOffice has an improper certificate validat... (How to Fix)

Q: What is the severity of CVE-2021-25634?

CVE-2021-25634 has a CVSS score of 7.5 (HIGH). LibreOffice has an improper certificate validation vulnerability that allows attackers to modify digitally signed ODF documents and insert bogus signing timestamps. LibreOffice incorrectly presents these manipulated signatures as valid, potentially misleading users about document integrity. This affects LibreOffice 7.0 versions before 7.0.6 and 7.1 versions before 7.1.2.

📋 TL;DR

LibreOffice has an improper certificate validation vulnerability that allows attackers to modify digitally signed ODF documents and insert bogus signing timestamps. LibreOffice incorrectly presents these manipulated signatures as valid, potentially misleading users about document integrity. This affects LibreOffice 7.0 versions before 7.0.6 and 7.1 versions before 7.1.2.

💻 Affected Systems

Products:

LibreOffice

Versions: 7.0 versions prior to 7.0.6; 7.1 versions prior to 7.1.2

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using affected versions are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could forge signatures on critical documents (contracts, financial records, legal documents) making them appear legitimate and unaltered, leading to fraud, data manipulation, or unauthorized approvals.

🟠

Likely Case

Attackers modify signed documents to insert false timestamps, making documents appear signed at different times than actual, potentially affecting audit trails and document validity.

🟢

If Mitigated

With proper controls, users verify signatures through multiple channels, maintain document integrity checks, and use updated software, reducing risk of successful exploitation.

🌐 Internet-Facing: MEDIUM - Documents can be distributed via email or web, but exploitation requires user interaction to open manipulated documents.

🏢 Internal Only: MEDIUM - Internal document sharing could be compromised if users open malicious documents, but requires initial document compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires creating a specially crafted ODF document with manipulated signature timestamps. User must open the document in vulnerable LibreOffice version.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LibreOffice 7.0.6 or 7.1.2

Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25634

Restart Required: No

Instructions:

1. Download latest LibreOffice from official website. 2. Run installer. 3. Verify version is 7.0.6 or higher for 7.0 branch, or 7.1.2 or higher for 7.1 branch.

🔧 Temporary Workarounds

Disable macro execution

all

Prevent macro execution in documents to reduce attack surface

Tools → Options → Security → Macro Security → Set to 'Very High'

Use alternative document viewers

all

Open ODF documents in non-vulnerable software when signature verification is not required

🧯 If You Can't Patch

Implement document integrity checks using external tools or manual verification processes
Restrict opening of digitally signed documents to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Open LibreOffice → Help → About LibreOffice → Check version number. If version is 7.0.0-7.0.5 or 7.1.0-7.1.1, system is vulnerable.

Check Version:

libreoffice --version

Verify Fix Applied:

After update, check version is 7.0.6 or higher (7.0 branch) or 7.1.2 or higher (7.1 branch). Test with known good signed documents.

📡 Detection & Monitoring

Log Indicators:

Unusual document modification timestamps
Multiple signature validation failures

Network Indicators:

Unusual document downloads from untrusted sources

SIEM Query:

source="libreoffice" AND (event="document_open" OR event="signature_validation") AND result="failure"

📊 Metadata

CVE ID: CVE-2021-25634

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-295

Published: October 12, 2021

Last Updated: November 21, 2024

🔗 References

https://www.debian.org/security/2021/dsa-4988 Third Party Advisory
https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25634 Vendor Advisory
https://www.debian.org/security/2021/dsa-4988 Third Party Advisory
https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25634 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25634, you might also want to check these: