LibreOffice developers fixed three vulnerabilities that allowed to bypass previous patches

The developers updated LibreOffice to versions 6.2.6 / 6.3.0, in which they fixed three serious vulnerabilities at once. These bugs allowed bypassing patches for other dangerous problems which specialists discovered earlier.

“Bypassed successfully the fix of CVE-2019-9848 in LibreOffice 6.2.5. It’s time to write a new email”, — wrote Alex Inführ on Twitter

It is worth noting that this was not a trivial issue: to exploit a bug related to the LibreLogo component, the victim only had to open a malicious document in LibreOffice, which could entail code execution.

As it turned out now, Infour was not the only one who managed to circumvent the initial fix for CVE-2019-9848. So, in LibreOffice 6.2.6 / 6.3.0, two options for bypassing the patch were fixed right away:

1. CVE-2019-9850: Vulnerability discovered by Infur was due to insufficient URL checking. As a result, the attacker could bypass the patch and initiate a call to LibreLogo;
2. CVE-2019-9851: a problem discovered by Gabriel Masei was related to a function due to which documents can use predefined scripts (such as LibreLogo) that can be executed on various global script events (opening a document and so on).

Read also: The patch for vulnerability in LibreOffice was ineffective

Another problem fixed with the release of LibreOffice 6.2.6 / 6.3.0 was associated with a bypass patch for the vulnerability CVE-2018-16858, fixed in February of this year. Information security specialist Nils Emmerich discovered that an attack on a directory bypass is still possible, regardless of the patch. So, the malicious document could still execute an arbitrary script from an arbitrary location in the victim’s file system.

“Macros shipped with LibreOffice are executed without prompting the user, even on the highest macro security setting. So, if there would be a system macro from LibreOffice with a bug that allows to execute code, the user would not even get a prompt and the code would be executed right away, — Nils Emmerich reported about the bug.