CVE-2021-25832 – A heap buffer overflow vulnerability in BMP ima... (How to Fix)

Q: What is the severity of CVE-2021-25832?

CVE-2021-25832 has a CVSS score of 9.8 (CRITICAL). A heap buffer overflow vulnerability in BMP image processing within ONLYOFFICE DocumentServer allows remote code execution. Attackers can exploit this by uploading malicious BMP files to achieve full system compromise. This affects ONLYOFFICE DocumentServer installations processing user-uploaded documents.

📋 TL;DR

A heap buffer overflow vulnerability in BMP image processing within ONLYOFFICE DocumentServer allows remote code execution. Attackers can exploit this by uploading malicious BMP files to achieve full system compromise. This affects ONLYOFFICE DocumentServer installations processing user-uploaded documents.

💻 Affected Systems

Products:

ONLYOFFICE DocumentServer

Versions: v4.0.0 through v6.0.0

Operating Systems: All platforms running ONLYOFFICE DocumentServer

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation processing BMP files is vulnerable. The vulnerability is in the core image processing library.

📦 What is this software?

Document Server by Onlyoffice

View all CVEs affecting Document Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the DocumentServer, potentially leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to document server compromise, data exfiltration, and potential pivot to internal network resources.

🟢

If Mitigated

Limited impact if proper network segmentation, file upload restrictions, and monitoring are in place, though RCE risk remains if exploited.

🌐 Internet-Facing: HIGH - Document servers are typically internet-facing to allow document collaboration, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal-only servers are less exposed but still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious BMP file. The CVSS 9.8 score indicates critical severity with network-accessible attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6.0.1.15 and later

Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Update ONLYOFFICE DocumentServer to version 6.0.1.15 or later. 3. Restart the DocumentServer service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Block BMP file uploads

all

Configure DocumentServer to reject BMP file uploads at the web application or WAF level

# Configure web server (nginx example) to block .bmp files
location ~ \.bmp$ { deny all; }

Network segmentation

linux

Isolate DocumentServer from critical internal networks and implement strict firewall rules

# Example iptables rule to restrict DocumentServer access
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict file upload filtering to block all BMP files at the application and network perimeter
Deploy network-based intrusion prevention systems (IPS) with signatures for heap overflow exploits

🔍 How to Verify

Check if Vulnerable:

Check DocumentServer version. If version is between 4.0.0 and 6.0.0 inclusive, the system is vulnerable.

Check Version:

docker exec onlyoffice-documentserver cat /etc/onlyoffice/documentserver/version.txt || check package version via dpkg -l onlyoffice-documentserver or rpm -qa | grep onlyoffice

Verify Fix Applied:

Confirm DocumentServer version is 6.0.1.15 or later and verify BMP file processing functions correctly with safe test files.

📡 Detection & Monitoring

Log Indicators:

Multiple failed BMP file upload attempts
Unusual process spawning from DocumentServer
Memory allocation errors in application logs

Network Indicators:

Unusual outbound connections from DocumentServer
Large BMP file uploads followed by command-and-control traffic

SIEM Query:

source="onlyoffice.log" AND ("bmp" OR "heap" OR "overflow") | stats count by src_ip, user_agent

📊 Metadata

CVE ID: CVE-2021-25832

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core Product,Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L424 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L428 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/DesktopEditor/cximage/CxImage/ximabmp.cpp#L354 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/DesktopEditor/cximage/CxImage/ximabmp.cpp#L358 Vendor Advisory
https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25832 Exploit,Third Party Advisory
https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core Product,Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L424 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L428 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/DesktopEditor/cximage/CxImage/ximabmp.cpp#L354 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v6.0.1.15/DesktopEditor/cximage/CxImage/ximabmp.cpp#L358 Vendor Advisory
https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25832 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25832, you might also want to check these: