CVE-2021-25636
📋 TL;DR
This vulnerability allows an attacker to create a digitally signed LibreOffice document that appears valid but actually uses a different key for verification than what's displayed to the user. Attackers can forge signatures to make malicious documents appear trustworthy. This affects LibreOffice 7.2 versions prior to 7.2.5.
💻 Affected Systems
- LibreOffice
📦 What is this software?
Fedora by Fedoraproject
Libreoffice by Libreoffice
⚠️ Risk & Real-World Impact
Worst Case
Users accept malicious documents with forged digital signatures, leading to malware execution, data theft, or credential harvesting.
Likely Case
Targeted attacks where attackers send specially crafted documents that appear legitimately signed to trick users into enabling macros or accepting content.
If Mitigated
Users verify signatures through additional means or avoid opening untrusted documents, limiting impact to suspicious document warnings.
🎯 Exploit Status
Requires creating specially crafted ODF documents with manipulated signature XML; user must open the document.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: LibreOffice 7.2.5 and later
Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636/
Restart Required: Yes
Instructions:
1. Update LibreOffice to version 7.2.5 or later. 2. Use your system's package manager (apt, yum, etc.) or download from libreoffice.org. 3. Restart LibreOffice after update.
🔧 Temporary Workarounds
Disable macro execution
allPrevent macro execution in documents to reduce risk even if signature appears valid.
Tools → Options → Security → Macro Security → Set to 'Very High' (disable all macros)
Use alternative office suite
allTemporarily use unaffected office software for opening signed documents.
🧯 If You Can't Patch
- Educate users to verify signatures through external means (not just LibreOffice's visual indicator)
- Implement document sandboxing or use virtual environments for opening untrusted documents
🔍 How to Verify
Check if Vulnerable:
Check LibreOffice version: Help → About LibreOffice. If version is 7.2.0 through 7.2.4, you are vulnerable.Check Version:
libreoffice --version (Linux/macOS) or check About dialog (Windows)Verify Fix Applied:
After updating, verify version is 7.2.5 or later in Help → About LibreOffice.📡 Detection & Monitoring
Log Indicators:
- Unusual document signature validation failures
- Multiple documents with similar signature structures being opened
Network Indicators:
- Downloads of ODF documents from untrusted sources followed by signature validation
SIEM Query:
source="libreoffice" AND (event="signature_validation" OR event="document_open") AND result="success" AND document_type="odf"🔗 References
- https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NE6UIBCPZWRBWPSEGJOPNWPPT3CCMVH2/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636/
- https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NE6UIBCPZWRBWPSEGJOPNWPPT3CCMVH2/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636/
