Vulnerabilities > CVE-2019-9848 - Code Injection vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
libreoffice
canonical
fedoraproject
debian
opensuse
CWE-94
critical
nessus
metasploit

Summary

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

Vulnerable Configurations

Part Description Count
Application
Libreoffice
384
OS
Canonical
3
OS
Fedoraproject
2
OS
Debian
1
OS
Opensuse
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Metasploit

descriptionLibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE. This module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload.
idMSF:EXPLOIT/MULTI/FILEFORMAT/LIBREOFFICE_LOGO_EXEC
last seen2020-06-14
modified2019-08-19
published2019-07-30
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/fileformat/libreoffice_logo_exec.rb
titleLibreOffice Macro Python Code Execution

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-5561D20558.NASL
    description - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in
    last seen2020-06-01
    modified2020-06-02
    plugin id126799
    published2019-07-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126799
    titleFedora 30 : 1:libreoffice (2019-5561d20558)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-5561d20558.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126799);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/24 11:01:32");
    
      script_cve_id("CVE-2019-9848", "CVE-2019-9849");
      script_xref(name:"FEDORA", value:"2019-5561d20558");
    
      script_name(english:"Fedora 30 : 1:libreoffice (2019-5561d20558)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - CVE-2019-9848 LibreLogo arbitrary script execution
    
      - CVE-2019-9849 remote bullet graphics retrieved in
        'stealth mode'
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-5561d20558"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 1:libreoffice package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:libreoffice");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC30", reference:"libreoffice-6.2.5.2-1.fc30", epoch:"1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:libreoffice");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4063-1.NASL
    descriptionNils Emmerich discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9848) Matei
    last seen2020-06-01
    modified2020-06-02
    plugin id126815
    published2019-07-19
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126815
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : libreoffice vulnerabilities (USN-4063-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4063-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126815);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id("CVE-2019-9848", "CVE-2019-9849");
      script_xref(name:"USN", value:"4063-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : libreoffice vulnerabilities (USN-4063-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Nils Emmerich discovered that LibreOffice incorrectly handled
    LibreLogo scripts. If a user were tricked into opening a specially
    crafted document, a remote attacker could cause LibreOffice to execute
    arbitrary code. (CVE-2019-9848)
    
    Matei 'Mal' Badanoiu discovered that LibreOffice incorrectly handled
    stealth mode. Contrary to expectations, bullet graphics could be
    retrieved from remote locations when running in stealth mode.
    (CVE-2019-9849).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4063-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libreoffice-core package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libreoffice-core");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"libreoffice-core", pkgver:"1:5.1.6~rc2-0ubuntu1~xenial8")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"libreoffice-core", pkgver:"1:6.0.7-0ubuntu0.18.04.8")) flag++;
    if (ubuntu_check(osver:"19.04", pkgname:"libreoffice-core", pkgver:"1:6.2.5-0ubuntu0.19.04.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libreoffice-core");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2183.NASL
    descriptionThis update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in
    last seen2020-06-01
    modified2020-06-02
    plugin id129346
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129346
    titleopenSUSE Security Update : libreoffice (openSUSE-2019-2183)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1151.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory. - libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands (CVE-2019-9848) - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849) - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850) - libreoffice: LibreLogo global-event script execution (CVE-2019-9851) - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852) - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853) - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-23
    modified2020-04-01
    plugin id135068
    published2020-04-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135068
    titleRHEL 7 : libreoffice (RHSA-2020:1151)
  • NASL familyWindows
    NASL idLIBREOFFICE_630.NASL
    descriptionAccording to its self-reported version, the LibreOffice application running on the remote host is prior to 6.2.6. It is, therefore, affected by multiple vulnerabilities: - Protection that was added to mitigate CVE-2019-9848 which prevents LibreLogo from being called from a document event handler. However, insufficient validation of URL encoded characters could allow an attacker to bypass these protections and trigger LibreLogo from script event handlers. (CVE-2019-9850) - It is possible for documents to specify that pre-installed scripts be executed on global script events like document-open, etc. (CVE-2019-9851) - A feature of this application is that documents can make use of pre-installed macros that can be executed on various script events, the macros are supposed to only be able to access scripts in share/Scripts/python and user/Scripts/python sub-directories of the applications install. However, due to not properly sanitizing URL encoded characters this can be bypassed to allow execution of scripts in other directories. (CVE-2019-9852) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-03-18
    modified2020-02-05
    plugin id133474
    published2020-02-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133474
    titleLibreOffice < 6.2.6 / 6.3 Input Validation (Windows)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-2FE22A3A2C.NASL
    description - CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution - CVE-2019-9851 LibreLogo global-event script execution - CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check ---- - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in
    last seen2020-06-01
    modified2020-06-02
    plugin id128128
    published2019-08-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128128
    titleFedora 29 : 1:libreoffice (2019-2fe22a3a2c)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_LIBREOFFICE_625.NASL
    descriptionThe version of LibreOffice installed on the remote macOS host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must be installed for this vulnerability to be exploitable. LibreLogo is frequently bundled with LibreOffice. (CVE-2019-9848) - An information disclosure vulnerability exists due to how bullet graphics are handled when in
    last seen2020-06-01
    modified2020-06-02
    plugin id127113
    published2019-08-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127113
    titleLibreOffice < 6.2.5 Multiple Vulnerabilities (macOS)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1976.NASL
    descriptionAccording to the versions of the libreoffice packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning (CVE-2018-16858) - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.(CVE-2019-9848) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9850) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9851) - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9852) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-23
    plugin id129133
    published2019-09-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129133
    titleEulerOS 2.0 SP5 : libreoffice (EulerOS-SA-2019-1976)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2082.NASL
    descriptionAccording to the versions of the libreoffice packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning (CVE-2018-16858) - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.(CVE-2019-9848) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9850) - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9851) - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9852) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-09-30
    plugin id129441
    published2019-09-30
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129441
    titleEulerOS 2.0 SP8 : libreoffice (EulerOS-SA-2019-2082)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4483.NASL
    descriptionTwo security issues have been discovered in LibreOffice : - CVE-2019-9848 Nils Emmerich discovered that malicious documents could execute arbitrary Python code via LibreLogo. - CVE-2019-9849 Matei Badanoiu discovered that the stealth mode did not apply to bullet graphics.
    last seen2020-06-01
    modified2020-06-02
    plugin id126755
    published2019-07-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126755
    titleDebian DSA-4483-1 : libreoffice - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201908-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201908-13 (LibreOffice: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibreOffice. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id127962
    published2019-08-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127962
    titleGLSA-201908-13 : LibreOffice: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1947.NASL
    descriptionSeveral vulnerabilities were discovered in LibreOffice, the office productivity suite. CVE-2019-9848 Nils Emmerich discovered that malicious documents could execute arbitrary Python code via LibreLogo. CVE-2019-9849 Matei Badanoiu discovered that the stealth mode did not apply to bullet graphics. CVE-2019-9850 It was discovered that the protections implemented in CVE-2019-9848 could be bypassed because of insufficient URL validation. CVE-2019-9851 Gabriel Masei discovered that malicious documents could execute arbitrary pre-installed scripts. CVE-2019-9852 Nils Emmerich discovered that the protection implemented to address CVE-2018-16858 could be bypassed by a URL encoding attack. CVE-2019-9853 Nils Emmerich discovered that malicious documents could bypass document security settings to execute macros contained within the document. CVE-2019-9854 It was discovered that the protection implemented to address CVE-2019-9852 could be bypassed because of insufficient input sanitization. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id129595
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129595
    titleDebian DLA-1947-1 : libreoffice security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200407_LIBREOFFICE_ON_SL7_X.NASL
    description* libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands * libreoffice: Insufficient URL validation allowing LibreLogo script execution * libreoffice: LibreLogo global-event script execution * libreoffice: Insufficient URL encoding flaw in allowed script location check * libreoffice: Insufficient URL decoding flaw in categorizing macro location * libreoffice: Unsafe URL assembly flaw in allowed script location check * libreoffice: Remote resources protection module not applied to bullet graphics
    last seen2020-04-30
    modified2020-04-21
    plugin id135817
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135817
    titleScientific Linux Security Update : libreoffice on SL7.x x86_64 (20200407)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4501.NASL
    descriptionIt was discovered that the code fixes to address CVE-2018-16858 and CVE-2019-9848 were not complete.
    last seen2020-06-01
    modified2020-06-02
    plugin id127928
    published2019-08-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127928
    titleDebian DSA-4501-1 : libreoffice - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2402-1.NASL
    descriptionThis update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in
    last seen2020-06-01
    modified2020-06-02
    plugin id129046
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129046
    titleSUSE SLED15 / SLES15 Security Update : libreoffice (SUSE-SU-2019:2402-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2401-1.NASL
    descriptionThis update for libreoffice to version 6.2.7.1 fixes the following issues : Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in
    last seen2020-06-01
    modified2020-06-02
    plugin id129045
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129045
    titleSUSE SLED12 Security Update : libreoffice (SUSE-SU-2019:2401-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2057.NASL
    descriptionThis update for libreoffice fixes the following issues : Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in
    last seen2020-06-01
    modified2020-06-02
    plugin id128463
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128463
    titleopenSUSE Security Update : libreoffice (openSUSE-2019-2057)
  • NASL familyWindows
    NASL idLIBREOFFICE_625.NASL
    descriptionThe version of LibreOffice installed on the remote Windows host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must be installed for this vulnerability to be exploitable. LibreLogo is frequently bundled with LibreOffice. (CVE-2019-9848) - An information disclosure vulnerability exists due to how bullet graphics are handled when in
    last seen2020-06-01
    modified2020-06-02
    plugin id127114
    published2019-08-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127114
    titleLibreOffice < 6.2.5 Multiple Vulnerabilities (Windows)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-1151.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory. - libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands (CVE-2019-9848) - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849) - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850) - libreoffice: LibreLogo global-event script execution (CVE-2019-9851) - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852) - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853) - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-10
    plugin id135347
    published2020-04-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135347
    titleCentOS 7 : libreoffice (CESA-2020:1151)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/154168/libreoffice_logo_exec.rb.txt
idPACKETSTORM:154168
last seen2019-08-21
published2019-08-20
reporterShelby Pace
sourcehttps://packetstormsecurity.com/files/154168/LibreOffice-Macro-Python-Code-Execution.html
titleLibreOffice Macro Python Code Execution

Redhat

rpms
  • autocorr-af-1:5.3.6.1-24.el7
  • autocorr-bg-1:5.3.6.1-24.el7
  • autocorr-ca-1:5.3.6.1-24.el7
  • autocorr-cs-1:5.3.6.1-24.el7
  • autocorr-da-1:5.3.6.1-24.el7
  • autocorr-de-1:5.3.6.1-24.el7
  • autocorr-en-1:5.3.6.1-24.el7
  • autocorr-es-1:5.3.6.1-24.el7
  • autocorr-fa-1:5.3.6.1-24.el7
  • autocorr-fi-1:5.3.6.1-24.el7
  • autocorr-fr-1:5.3.6.1-24.el7
  • autocorr-ga-1:5.3.6.1-24.el7
  • autocorr-hr-1:5.3.6.1-24.el7
  • autocorr-hu-1:5.3.6.1-24.el7
  • autocorr-is-1:5.3.6.1-24.el7
  • autocorr-it-1:5.3.6.1-24.el7
  • autocorr-ja-1:5.3.6.1-24.el7
  • autocorr-ko-1:5.3.6.1-24.el7
  • autocorr-lb-1:5.3.6.1-24.el7
  • autocorr-lt-1:5.3.6.1-24.el7
  • autocorr-mn-1:5.3.6.1-24.el7
  • autocorr-nl-1:5.3.6.1-24.el7
  • autocorr-pl-1:5.3.6.1-24.el7
  • autocorr-pt-1:5.3.6.1-24.el7
  • autocorr-ro-1:5.3.6.1-24.el7
  • autocorr-ru-1:5.3.6.1-24.el7
  • autocorr-sk-1:5.3.6.1-24.el7
  • autocorr-sl-1:5.3.6.1-24.el7
  • autocorr-sr-1:5.3.6.1-24.el7
  • autocorr-sv-1:5.3.6.1-24.el7
  • autocorr-tr-1:5.3.6.1-24.el7
  • autocorr-vi-1:5.3.6.1-24.el7
  • autocorr-zh-1:5.3.6.1-24.el7
  • libreoffice-1:5.3.6.1-24.el7
  • libreoffice-base-1:5.3.6.1-24.el7
  • libreoffice-bsh-1:5.3.6.1-24.el7
  • libreoffice-calc-1:5.3.6.1-24.el7
  • libreoffice-core-1:5.3.6.1-24.el7
  • libreoffice-data-1:5.3.6.1-24.el7
  • libreoffice-debuginfo-1:5.3.6.1-24.el7
  • libreoffice-draw-1:5.3.6.1-24.el7
  • libreoffice-emailmerge-1:5.3.6.1-24.el7
  • libreoffice-filters-1:5.3.6.1-24.el7
  • libreoffice-gdb-debug-support-1:5.3.6.1-24.el7
  • libreoffice-glade-1:5.3.6.1-24.el7
  • libreoffice-graphicfilter-1:5.3.6.1-24.el7
  • libreoffice-gtk2-1:5.3.6.1-24.el7
  • libreoffice-gtk3-1:5.3.6.1-24.el7
  • libreoffice-help-ar-1:5.3.6.1-24.el7
  • libreoffice-help-bg-1:5.3.6.1-24.el7
  • libreoffice-help-bn-1:5.3.6.1-24.el7
  • libreoffice-help-ca-1:5.3.6.1-24.el7
  • libreoffice-help-cs-1:5.3.6.1-24.el7
  • libreoffice-help-da-1:5.3.6.1-24.el7
  • libreoffice-help-de-1:5.3.6.1-24.el7
  • libreoffice-help-dz-1:5.3.6.1-24.el7
  • libreoffice-help-el-1:5.3.6.1-24.el7
  • libreoffice-help-es-1:5.3.6.1-24.el7
  • libreoffice-help-et-1:5.3.6.1-24.el7
  • libreoffice-help-eu-1:5.3.6.1-24.el7
  • libreoffice-help-fi-1:5.3.6.1-24.el7
  • libreoffice-help-fr-1:5.3.6.1-24.el7
  • libreoffice-help-gl-1:5.3.6.1-24.el7
  • libreoffice-help-gu-1:5.3.6.1-24.el7
  • libreoffice-help-he-1:5.3.6.1-24.el7
  • libreoffice-help-hi-1:5.3.6.1-24.el7
  • libreoffice-help-hr-1:5.3.6.1-24.el7
  • libreoffice-help-hu-1:5.3.6.1-24.el7
  • libreoffice-help-id-1:5.3.6.1-24.el7
  • libreoffice-help-it-1:5.3.6.1-24.el7
  • libreoffice-help-ja-1:5.3.6.1-24.el7
  • libreoffice-help-ko-1:5.3.6.1-24.el7
  • libreoffice-help-lt-1:5.3.6.1-24.el7
  • libreoffice-help-lv-1:5.3.6.1-24.el7
  • libreoffice-help-nb-1:5.3.6.1-24.el7
  • libreoffice-help-nl-1:5.3.6.1-24.el7
  • libreoffice-help-nn-1:5.3.6.1-24.el7
  • libreoffice-help-pl-1:5.3.6.1-24.el7
  • libreoffice-help-pt-BR-1:5.3.6.1-24.el7
  • libreoffice-help-pt-PT-1:5.3.6.1-24.el7
  • libreoffice-help-ro-1:5.3.6.1-24.el7
  • libreoffice-help-ru-1:5.3.6.1-24.el7
  • libreoffice-help-si-1:5.3.6.1-24.el7
  • libreoffice-help-sk-1:5.3.6.1-24.el7
  • libreoffice-help-sl-1:5.3.6.1-24.el7
  • libreoffice-help-sv-1:5.3.6.1-24.el7
  • libreoffice-help-ta-1:5.3.6.1-24.el7
  • libreoffice-help-tr-1:5.3.6.1-24.el7
  • libreoffice-help-uk-1:5.3.6.1-24.el7
  • libreoffice-help-zh-Hans-1:5.3.6.1-24.el7
  • libreoffice-help-zh-Hant-1:5.3.6.1-24.el7
  • libreoffice-impress-1:5.3.6.1-24.el7
  • libreoffice-langpack-af-1:5.3.6.1-24.el7
  • libreoffice-langpack-ar-1:5.3.6.1-24.el7
  • libreoffice-langpack-as-1:5.3.6.1-24.el7
  • libreoffice-langpack-bg-1:5.3.6.1-24.el7
  • libreoffice-langpack-bn-1:5.3.6.1-24.el7
  • libreoffice-langpack-br-1:5.3.6.1-24.el7
  • libreoffice-langpack-ca-1:5.3.6.1-24.el7
  • libreoffice-langpack-cs-1:5.3.6.1-24.el7
  • libreoffice-langpack-cy-1:5.3.6.1-24.el7
  • libreoffice-langpack-da-1:5.3.6.1-24.el7
  • libreoffice-langpack-de-1:5.3.6.1-24.el7
  • libreoffice-langpack-dz-1:5.3.6.1-24.el7
  • libreoffice-langpack-el-1:5.3.6.1-24.el7
  • libreoffice-langpack-en-1:5.3.6.1-24.el7
  • libreoffice-langpack-es-1:5.3.6.1-24.el7
  • libreoffice-langpack-et-1:5.3.6.1-24.el7
  • libreoffice-langpack-eu-1:5.3.6.1-24.el7
  • libreoffice-langpack-fa-1:5.3.6.1-24.el7
  • libreoffice-langpack-fi-1:5.3.6.1-24.el7
  • libreoffice-langpack-fr-1:5.3.6.1-24.el7
  • libreoffice-langpack-ga-1:5.3.6.1-24.el7
  • libreoffice-langpack-gl-1:5.3.6.1-24.el7
  • libreoffice-langpack-gu-1:5.3.6.1-24.el7
  • libreoffice-langpack-he-1:5.3.6.1-24.el7
  • libreoffice-langpack-hi-1:5.3.6.1-24.el7
  • libreoffice-langpack-hr-1:5.3.6.1-24.el7
  • libreoffice-langpack-hu-1:5.3.6.1-24.el7
  • libreoffice-langpack-id-1:5.3.6.1-24.el7
  • libreoffice-langpack-it-1:5.3.6.1-24.el7
  • libreoffice-langpack-ja-1:5.3.6.1-24.el7
  • libreoffice-langpack-kk-1:5.3.6.1-24.el7
  • libreoffice-langpack-kn-1:5.3.6.1-24.el7
  • libreoffice-langpack-ko-1:5.3.6.1-24.el7
  • libreoffice-langpack-lt-1:5.3.6.1-24.el7
  • libreoffice-langpack-lv-1:5.3.6.1-24.el7
  • libreoffice-langpack-mai-1:5.3.6.1-24.el7
  • libreoffice-langpack-ml-1:5.3.6.1-24.el7
  • libreoffice-langpack-mr-1:5.3.6.1-24.el7
  • libreoffice-langpack-nb-1:5.3.6.1-24.el7
  • libreoffice-langpack-nl-1:5.3.6.1-24.el7
  • libreoffice-langpack-nn-1:5.3.6.1-24.el7
  • libreoffice-langpack-nr-1:5.3.6.1-24.el7
  • libreoffice-langpack-nso-1:5.3.6.1-24.el7
  • libreoffice-langpack-or-1:5.3.6.1-24.el7
  • libreoffice-langpack-pa-1:5.3.6.1-24.el7
  • libreoffice-langpack-pl-1:5.3.6.1-24.el7
  • libreoffice-langpack-pt-BR-1:5.3.6.1-24.el7
  • libreoffice-langpack-pt-PT-1:5.3.6.1-24.el7
  • libreoffice-langpack-ro-1:5.3.6.1-24.el7
  • libreoffice-langpack-ru-1:5.3.6.1-24.el7
  • libreoffice-langpack-si-1:5.3.6.1-24.el7
  • libreoffice-langpack-sk-1:5.3.6.1-24.el7
  • libreoffice-langpack-sl-1:5.3.6.1-24.el7
  • libreoffice-langpack-sr-1:5.3.6.1-24.el7
  • libreoffice-langpack-ss-1:5.3.6.1-24.el7
  • libreoffice-langpack-st-1:5.3.6.1-24.el7
  • libreoffice-langpack-sv-1:5.3.6.1-24.el7
  • libreoffice-langpack-ta-1:5.3.6.1-24.el7
  • libreoffice-langpack-te-1:5.3.6.1-24.el7
  • libreoffice-langpack-th-1:5.3.6.1-24.el7
  • libreoffice-langpack-tn-1:5.3.6.1-24.el7
  • libreoffice-langpack-tr-1:5.3.6.1-24.el7
  • libreoffice-langpack-ts-1:5.3.6.1-24.el7
  • libreoffice-langpack-uk-1:5.3.6.1-24.el7
  • libreoffice-langpack-ve-1:5.3.6.1-24.el7
  • libreoffice-langpack-xh-1:5.3.6.1-24.el7
  • libreoffice-langpack-zh-Hans-1:5.3.6.1-24.el7
  • libreoffice-langpack-zh-Hant-1:5.3.6.1-24.el7
  • libreoffice-langpack-zu-1:5.3.6.1-24.el7
  • libreoffice-librelogo-1:5.3.6.1-24.el7
  • libreoffice-math-1:5.3.6.1-24.el7
  • libreoffice-nlpsolver-1:5.3.6.1-24.el7
  • libreoffice-officebean-1:5.3.6.1-24.el7
  • libreoffice-officebean-common-1:5.3.6.1-24.el7
  • libreoffice-ogltrans-1:5.3.6.1-24.el7
  • libreoffice-opensymbol-fonts-1:5.3.6.1-24.el7
  • libreoffice-pdfimport-1:5.3.6.1-24.el7
  • libreoffice-postgresql-1:5.3.6.1-24.el7
  • libreoffice-pyuno-1:5.3.6.1-24.el7
  • libreoffice-rhino-1:5.3.6.1-24.el7
  • libreoffice-sdk-1:5.3.6.1-24.el7
  • libreoffice-sdk-doc-1:5.3.6.1-24.el7
  • libreoffice-ure-1:5.3.6.1-24.el7
  • libreoffice-ure-common-1:5.3.6.1-24.el7
  • libreoffice-wiki-publisher-1:5.3.6.1-24.el7
  • libreoffice-writer-1:5.3.6.1-24.el7
  • libreoffice-x11-1:5.3.6.1-24.el7
  • libreoffice-xsltfilter-1:5.3.6.1-24.el7
  • libreofficekit-1:5.3.6.1-24.el7
  • libreofficekit-devel-1:5.3.6.1-24.el7

The Hacker News