Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix Digital Signature Spoofing Vulnerabilities In LibreOffice- CVE-2021-25633, CVE-2021-25634, CVE-2021-25635?
October 13, 2021
|
4m

How To Fix Digital Signature Spoofing Vulnerabilities In LibreOffice- CVE-2021-25633, CVE-2021-25634, CVE-2021-25635?


How To Fix Digital Signature Spoofing Vulnerabilities In Libreoffice

On Oct 11, LibreOffice rolled out security updates to fix new digital signature spoofing vulnerabilities in the LibreOffice suite. Lets see the impact of Digital Signature Spoofing attacks and how to fix the three new digital signature spoofing vulnerabilities in LibreOffice tracked as CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635.

Summary Of The New Digital Signature Spoofing Vulnerabilities In LibreOffice:

A total of three vulnerabilities were recently discovered on LibreOffice, which could be used to manipulate the content of the documents to make them appear as if they are digitally signed by a trusted source.

  • CVE-2021-25633 Content Manipulation with Double Certificate Attack

  • CVE-2021-25634 Timestamp Manipulation with Signature Wrapping Attack

  • CVE-2021-25635 Content Manipulation with Certificate Validation Attack

#1. CVE-2021-25633:

LibreOffice supports digital signatures of ODF documents to retain the integrity of the document. This feature confirms the recipient of the document that no alteration has occurred since the last signing.

This vulnerability allows attackers to manipulate content to carry out a Double Certificate Attack. An attacker could leverage this CVE-2021-25633 Double Certificate vulnerability to manipulate the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, making the document appear as if the document is digitally signed with a trusted certificate.

This vulnerability has been fixed in LibreOffice 7.0.6/7.1.2

#2. CVE-2021-25634:

This vulnerability allows attackers to manipulate timestamps to carry out the Signature Wrapping Attack. An attacker could leverage this CVE-2021-25634 Signature Wrapping vulnerability to insert an additional signing time timestamp, making an invalid or expired certificate appear as a valid one.

This vulnerability has been fixed in LibreOffice 7.0.6/7.1.2

#3. CVE-2021-25635:

This vulnerability allows attackers to manipulate content to carry out the Certificate Validation Attack. An attacker could leverage this CVE-2021-25633 Certificate Validation vulnerability to sign an ODF document with a self-signed certificate or a certificate issued by an untrusted certificate authority, and then the attacker would change the signature algorithm with an invalid algorithm. This allows attackers to incorrectly present a signature with an unknown algorithm as a valid signature issued by a trusted party.

This vulnerability has been fixed in LibreOffice v7.0.5/7.1.1.

How To Fix Digital Signature Spoofing Vulnerabilities In LibreOffice?

All three vulnerabilities CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635, can be fixed by upgrading to LibreOffice to 7.1.2. It is always a good practice to upgrade applications to the latest stable version. Let's see how to upgrade LibreOffice to v 7.2.1.2.

How to upgrade LibreOffice to the latest version?

Step 1. Verify the version of LibreOffice on your Ubuntu or Linux Mint

Run this command to check the version of LibreOffice.

$ LibreOffice –version

Step 2. LibreOffice version info
Step 3. Add the PPA repository of LibreOffice and update the cache

Run this command to add the PPA repository of LibreOffice and update the cache on Ubuntu or Linux Mint.

$ sudo add-apt-repository ppa:libreoffice/ppa && sudo apt update

Step 4. Install LibreOffice from PPA on Ubuntu or Linux Mint

Install the latest version of LibreOffice on Ubuntu.

$ sudo apt install libreoffice

Step 5. Verify the version information of LibreOffice after upgradation

Run this command on CLI to check the version information of LibreOffice.

$ LibreOffice –version

Step 6. LibreOffice version info after the upgrade

We hope this post helps you in fixing the three new digital signature spoofing vulnerabilities in LibreOffice tracked as CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635.

Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe