CVE-2022-26307 – A flaw in LibreOffice's password storage system... (How to Fix)

Q: What is the severity of CVE-2022-26307?

CVE-2022-26307 has a CVSS score of 8.8 (HIGH). A flaw in LibreOffice's password storage system weakens encryption from 128-bit to 43-bit entropy, making stored web connection passwords vulnerable to brute-force attacks if an attacker gains access to the user's configuration database. This affects LibreOffice users who store passwords for web connections within the application. The vulnerability impacts LibreOffice 7.2 versions before 7.2.7 and 7.3 versions before 7.3.3.

📋 TL;DR

A flaw in LibreOffice's password storage system weakens encryption from 128-bit to 43-bit entropy, making stored web connection passwords vulnerable to brute-force attacks if an attacker gains access to the user's configuration database. This affects LibreOffice users who store passwords for web connections within the application. The vulnerability impacts LibreOffice 7.2 versions before 7.2.7 and 7.3 versions before 7.3.3.

💻 Affected Systems

Products:

LibreOffice

Versions: 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3

Operating Systems: All platforms running affected LibreOffice versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who store web connection passwords in LibreOffice. The vulnerability exists in the configuration database encryption mechanism.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with access to configuration files can brute-force stored passwords, potentially compromising web services and accounts protected by those passwords.

🟠

Likely Case

Local attackers or malware on compromised systems can extract and crack stored LibreOffice web passwords.

🟢

If Mitigated

With proper access controls and patching, risk is limited to authorized users only accessing their own encrypted data.

🌐 Internet-Facing: LOW - This is primarily a local file access vulnerability, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal attackers with file system access or malware could exploit this to harvest stored passwords.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to user's LibreOffice configuration files. The weakened encryption makes brute-force attacks feasible against the stored passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LibreOffice 7.2.7 or 7.3.3 and later

Vendor Advisory: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307

Restart Required: Yes

Instructions:

1. Update LibreOffice to version 7.2.7 or higher (for 7.2 branch) or 7.3.3 or higher (for 7.3 branch). 2. Restart LibreOffice after update. 3. Consider changing any stored web connection passwords.

🔧 Temporary Workarounds

Remove stored passwords

all

Delete stored web connection passwords from LibreOffice configuration

Navigate to Tools > Options > LibreOffice > Security > Passwords, then delete stored passwords

Restrict configuration file access

linux/windows

Set strict file permissions on LibreOffice configuration directory

chmod 700 ~/.config/libreoffice (Linux)
Set restrictive ACLs on %APPDATA%\LibreOffice (Windows)

🧯 If You Can't Patch

Do not store web connection passwords in LibreOffice
Use full disk encryption and strict file permissions to protect configuration files

🔍 How to Verify

Check if Vulnerable:

Check LibreOffice version via Help > About LibreOffice. If version is 7.2.0-7.2.6 or 7.3.0-7.3.2, system is vulnerable.

Check Version:

libreoffice --version (Linux) or check Help > About in GUI

Verify Fix Applied:

Confirm version is 7.2.7+ or 7.3.3+ via Help > About LibreOffice. Verify no stored passwords exist or have been re-encrypted with proper entropy.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to LibreOffice configuration files
Failed password attempts against web services from LibreOffice

Network Indicators:

Unexpected connections from LibreOffice to stored web services

SIEM Query:

source="*libreoffice*" AND (event="config_access" OR event="password_retrieval")

📊 Metadata

CVE ID: CVE-2022-26307

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-326

Published: July 25, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/08/13/2 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html Mailing List,Third Party Advisory
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307 Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/08/13/2 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html Mailing List,Third Party Advisory
https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26307, you might also want to check these: