CVE-2022-48422
📋 TL;DR
This vulnerability allows local users on Linux systems to escalate privileges by placing a malicious libgcc_s.so.1 library in a directory where ONLYOFFICE Docs is executed. The application loads this library from the current working directory instead of secure system paths, enabling attackers to execute arbitrary code with higher privileges. This affects ONLYOFFICE Docs installations on certain Linux distributions where users have write access to document directories.
💻 Affected Systems
- ONLYOFFICE Docs
📦 What is this software?
Document Server by Onlyoffice
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root privileges on the system, leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Local user with document directory access escalates to application service account privileges, potentially accessing sensitive documents and system resources.
If Mitigated
Attack limited to user's own directories with no privilege escalation due to proper file permissions and library path restrictions.
🎯 Exploit Status
Exploitation requires local user access and ability to place malicious library in a directory where ONLYOFFICE will be executed. The technique is well-known (DLL/so hijacking).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.4 and later
Vendor Advisory: https://forum.onlyoffice.com/t/security-hole-library-from-cwd/3302
Restart Required: Yes
Instructions:
1. Update ONLYOFFICE Docs to version 7.4 or later. 2. Stop all ONLYOFFICE services. 3. Install the updated package using your distribution's package manager. 4. Restart ONLYOFFICE services.
🔧 Temporary Workarounds
Set secure library path
linuxConfigure ONLYOFFICE to use secure library paths and disable loading from current directory
export LD_LIBRARY_PATH=/usr/lib:/lib
export LD_PRELOAD=
Restrict directory permissions
linuxSet strict permissions on document directories to prevent unauthorized file placement
chmod 755 /path/to/document/directories
chown root:root /path/to/document/directories
🧯 If You Can't Patch
- Run ONLYOFFICE Docs with minimal privileges using a dedicated service account with no sudo access
- Implement strict file system permissions preventing users from writing to directories where ONLYOFFICE executes
🔍 How to Verify
Check if Vulnerable:
Check ONLYOFFICE Docs version: dpkg -l | grep onlyoffice-documentserver or rpm -qa | grep onlyoffice-documentserver. If version is 7.3 or earlier, system is vulnerable.Check Version:
dpkg -l | grep onlyoffice-documentserver || rpm -qa | grep onlyoffice-documentserverVerify Fix Applied:
Verify version is 7.4 or later using the same commands and test that libgcc_s.so.1 is loaded from system paths only.📡 Detection & Monitoring
Log Indicators:
- Unusual library loading from non-standard paths
- Process privilege escalation attempts
- Execution of ONLYOFFICE from user-writable directories
Network Indicators:
- None - this is a local attack
SIEM Query:
Process where (ImagePath contains 'onlyoffice' OR ProcessName contains 'onlyoffice') AND (IntegrityLevel changed OR ParentProcess contains 'explorer.exe')