CVE-2021-25635
📋 TL;DR
This vulnerability allows attackers to forge digital signatures in LibreOffice documents. An attacker can modify a signed ODF document to use an invalid signature algorithm, making LibreOffice incorrectly display it as trusted. This affects LibreOffice users who rely on document signatures for authenticity verification.
💻 Affected Systems
- LibreOffice
📦 What is this software?
Libreoffice by Libreoffice
Libreoffice by Libreoffice
⚠️ Risk & Real-World Impact
Worst Case
Attackers could distribute malicious documents that appear to be signed by trusted sources, leading to malware execution, data theft, or social engineering attacks.
Likely Case
Users might unknowingly open and trust malicious documents thinking they come from legitimate sources, potentially compromising their systems.
If Mitigated
With proper security awareness training and updated software, users would recognize suspicious documents and have patched systems.
🎯 Exploit Status
Exploitation requires creating a specially crafted ODF document and convincing a user to open it. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.5 or 7.1.1 and later
Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2021-25635/
Restart Required: No
Instructions:
1. Download the latest LibreOffice version from the official website. 2. Install the update. 3. Verify the version is 7.0.5 or higher for 7.0.x branch, or 7.1.1 or higher for 7.1.x branch.
🔧 Temporary Workarounds
Disable document signature verification
allTemporarily disable signature verification in LibreOffice settings to prevent exploitation
Use alternative office software
allUse patched versions of LibreOffice or alternative office suites until systems can be updated
🧯 If You Can't Patch
- Implement strict document handling policies: only open documents from verified sources
- Use application whitelisting to restrict execution of LibreOffice if not essential
🔍 How to Verify
Check if Vulnerable:
Check LibreOffice version via Help → About LibreOffice. If version is between 7.0-7.0.4 or 7.1-7.1.0, the system is vulnerable.Check Version:
libreoffice --version (Linux/macOS) or check via Help menu (Windows)Verify Fix Applied:
After updating, verify version is 7.0.5 or higher (for 7.0.x) or 7.1.1 or higher (for 7.1.x). Test with known good signed documents to ensure proper signature validation.📡 Detection & Monitoring
Log Indicators:
- Unusual document opening patterns, especially with modified signatures
- Security software alerts about document signature anomalies
Network Indicators:
- Unusual document downloads from untrusted sources
- Email attachments with suspicious signature characteristics
SIEM Query:
Search for LibreOffice process execution with suspicious document files, particularly those with signature-related metadata anomalies.