CVE-2022-26305
📋 TL;DR
LibreOffice improperly validates macro signatures by only checking certificate serial numbers and issuer strings, not the actual cryptographic signature. Attackers can create fake certificates matching trusted ones, tricking users into executing malicious macros. This affects LibreOffice 7.2 before 7.2.7 and 7.3 before 7.3.1.
💻 Affected Systems
- LibreOffice
📦 What is this software?
Libreoffice by Libreoffice
Libreoffice by Libreoffice
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via malicious macros leading to full system compromise, data theft, or ransomware deployment.
Likely Case
Users execute malicious macros thinking they're from trusted sources, leading to malware installation or data exfiltration.
If Mitigated
With macro security set to highest level and proper certificate validation, impact is limited to denial of service from macro blocking.
🎯 Exploit Status
Requires user interaction to open malicious document and enable macros. Certificate creation is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: LibreOffice 7.2.7 or 7.3.1
Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305
Restart Required: No
Instructions:
1. Update LibreOffice to version 7.2.7 or 7.3.1 or later. 2. Use your distribution's package manager (apt, yum, etc.) or download from libreoffice.org. 3. Restart LibreOffice after update.
🔧 Temporary Workarounds
Disable macro execution
allSet macro security to highest level to block all macros
Tools → Options → Security → Macro Security → Set to 'Very High'
Disable certificate-based macro trust
allRemove trusted certificates to prevent exploitation
Tools → Options → Security → Certificates → Delete trusted certificates
🧯 If You Can't Patch
- Set macro security to 'Very High' to block all macros
- Educate users to never enable macros in documents from untrusted sources
- Use application whitelisting to block LibreOffice if not required
🔍 How to Verify
Check if Vulnerable:
Check LibreOffice version: Help → About LibreOffice. If version is 7.2.0-7.2.6 or 7.3.0, system is vulnerable.Check Version:
libreoffice --versionVerify Fix Applied:
Confirm version is 7.2.7 or higher, or 7.3.1 or higher. Test with known good signed macro to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Failed macro signature validation events
- Multiple macro execution attempts from same document
Network Indicators:
- Downloads of LibreOffice documents with embedded macros from unusual sources
SIEM Query:
source="libreoffice" AND event="macro_execution" AND certificate_validation="failed"