Vulnerabilities > CVE-2019-9849
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2019-5561D20558.NASL description - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in last seen 2020-06-01 modified 2020-06-02 plugin id 126799 published 2019-07-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126799 title Fedora 30 : 1:libreoffice (2019-5561d20558) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-5561d20558. # include("compat.inc"); if (description) { script_id(126799); script_version("1.5"); script_cvs_date("Date: 2019/09/24 11:01:32"); script_cve_id("CVE-2019-9848", "CVE-2019-9849"); script_xref(name:"FEDORA", value:"2019-5561d20558"); script_name(english:"Fedora 30 : 1:libreoffice (2019-5561d20558)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in 'stealth mode' Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-5561d20558" ); script_set_attribute( attribute:"solution", value:"Update the affected 1:libreoffice package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:libreoffice"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"libreoffice-6.2.5.2-1.fc30", epoch:"1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:libreoffice"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4063-1.NASL description Nils Emmerich discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9848) Matei last seen 2020-06-01 modified 2020-06-02 plugin id 126815 published 2019-07-19 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126815 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : libreoffice vulnerabilities (USN-4063-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4063-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(126815); script_version("1.5"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id("CVE-2019-9848", "CVE-2019-9849"); script_xref(name:"USN", value:"4063-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : libreoffice vulnerabilities (USN-4063-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Nils Emmerich discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9848) Matei 'Mal' Badanoiu discovered that LibreOffice incorrectly handled stealth mode. Contrary to expectations, bullet graphics could be retrieved from remote locations when running in stealth mode. (CVE-2019-9849). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4063-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libreoffice-core package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libreoffice-core"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"libreoffice-core", pkgver:"1:5.1.6~rc2-0ubuntu1~xenial8")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libreoffice-core", pkgver:"1:6.0.7-0ubuntu0.18.04.8")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"libreoffice-core", pkgver:"1:6.2.5-0ubuntu0.19.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libreoffice-core"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2183.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129346 published 2019-09-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129346 title openSUSE Security Update : libreoffice (openSUSE-2019-2183) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1151.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory. - libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands (CVE-2019-9848) - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849) - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850) - libreoffice: LibreLogo global-event script execution (CVE-2019-9851) - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852) - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853) - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-01 plugin id 135068 published 2020-04-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135068 title RHEL 7 : libreoffice (RHSA-2020:1151) NASL family Fedora Local Security Checks NASL id FEDORA_2019-2FE22A3A2C.NASL description - CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution - CVE-2019-9851 LibreLogo global-event script execution - CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check ---- - CVE-2019-9848 LibreLogo arbitrary script execution - CVE-2019-9849 remote bullet graphics retrieved in last seen 2020-06-01 modified 2020-06-02 plugin id 128128 published 2019-08-26 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128128 title Fedora 29 : 1:libreoffice (2019-2fe22a3a2c) NASL family MacOS X Local Security Checks NASL id MACOS_LIBREOFFICE_625.NASL description The version of LibreOffice installed on the remote macOS host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must be installed for this vulnerability to be exploitable. LibreLogo is frequently bundled with LibreOffice. (CVE-2019-9848) - An information disclosure vulnerability exists due to how bullet graphics are handled when in last seen 2020-06-01 modified 2020-06-02 plugin id 127113 published 2019-08-05 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127113 title LibreOffice < 6.2.5 Multiple Vulnerabilities (macOS) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4483.NASL description Two security issues have been discovered in LibreOffice : - CVE-2019-9848 Nils Emmerich discovered that malicious documents could execute arbitrary Python code via LibreLogo. - CVE-2019-9849 Matei Badanoiu discovered that the stealth mode did not apply to bullet graphics. last seen 2020-06-01 modified 2020-06-02 plugin id 126755 published 2019-07-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126755 title Debian DSA-4483-1 : libreoffice - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201908-13.NASL description The remote host is affected by the vulnerability described in GLSA-201908-13 (LibreOffice: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibreOffice. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 127962 published 2019-08-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127962 title GLSA-201908-13 : LibreOffice: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1947.NASL description Several vulnerabilities were discovered in LibreOffice, the office productivity suite. CVE-2019-9848 Nils Emmerich discovered that malicious documents could execute arbitrary Python code via LibreLogo. CVE-2019-9849 Matei Badanoiu discovered that the stealth mode did not apply to bullet graphics. CVE-2019-9850 It was discovered that the protections implemented in CVE-2019-9848 could be bypassed because of insufficient URL validation. CVE-2019-9851 Gabriel Masei discovered that malicious documents could execute arbitrary pre-installed scripts. CVE-2019-9852 Nils Emmerich discovered that the protection implemented to address CVE-2018-16858 could be bypassed by a URL encoding attack. CVE-2019-9853 Nils Emmerich discovered that malicious documents could bypass document security settings to execute macros contained within the document. CVE-2019-9854 It was discovered that the protection implemented to address CVE-2019-9852 could be bypassed because of insufficient input sanitization. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 129595 published 2019-10-07 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129595 title Debian DLA-1947-1 : libreoffice security update NASL family Scientific Linux Local Security Checks NASL id SL_20200407_LIBREOFFICE_ON_SL7_X.NASL description * libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands * libreoffice: Insufficient URL validation allowing LibreLogo script execution * libreoffice: LibreLogo global-event script execution * libreoffice: Insufficient URL encoding flaw in allowed script location check * libreoffice: Insufficient URL decoding flaw in categorizing macro location * libreoffice: Unsafe URL assembly flaw in allowed script location check * libreoffice: Remote resources protection module not applied to bullet graphics last seen 2020-04-30 modified 2020-04-21 plugin id 135817 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135817 title Scientific Linux Security Update : libreoffice on SL7.x x86_64 (20200407) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2402-1.NASL description This update for libreoffice fixes the following issues : Updated to version 6.2.7.1. Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129046 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129046 title SUSE SLED15 / SLES15 Security Update : libreoffice (SUSE-SU-2019:2402-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2401-1.NASL description This update for libreoffice to version 6.2.7.1 fixes the following issues : Security issues fixed : CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 129045 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129045 title SUSE SLED12 Security Update : libreoffice (SUSE-SU-2019:2401-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2057.NASL description This update for libreoffice fixes the following issues : Security issues fixed : - CVE-2019-9849: Disabled fetching remote bullet graphics in last seen 2020-06-01 modified 2020-06-02 plugin id 128463 published 2019-09-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128463 title openSUSE Security Update : libreoffice (openSUSE-2019-2057) NASL family Windows NASL id LIBREOFFICE_625.NASL description The version of LibreOffice installed on the remote Windows host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must be installed for this vulnerability to be exploitable. LibreLogo is frequently bundled with LibreOffice. (CVE-2019-9848) - An information disclosure vulnerability exists due to how bullet graphics are handled when in last seen 2020-06-01 modified 2020-06-02 plugin id 127114 published 2019-08-05 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127114 title LibreOffice < 6.2.5 Multiple Vulnerabilities (Windows) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-1151.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory. - libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands (CVE-2019-9848) - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849) - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850) - libreoffice: LibreLogo global-event script execution (CVE-2019-9851) - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852) - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853) - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-10 plugin id 135347 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135347 title CentOS 7 : libreoffice (CESA-2020:1151)
Redhat
| rpms |
|
The Hacker News
| id | THN:5BC8F1A67A1CCC7511A6D85B8051C8F3 |
| last seen | 2019-07-26 |
| modified | 2019-07-26 |
| published | 2019-07-26 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2019/07/libreoffice-vulnerability.html |
| title | Just Opening A Document in LibreOffice Can Hack Your Computer (Unpatched) |
References
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9849
- https://usn.ubuntu.com/4063-1/
- http://www.securityfocus.com/bid/109374
- https://security.gentoo.org/glsa/201908-13
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPTZJCNN52VNGSVC5DFKVW3EDMRDWKMP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/