EulerOS 2.0 SP5 : libreoffice (EulerOS-SA-2019-1976)

critical Nessus Plugin ID 129133

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the libreoffice packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning (CVE-2018-16858)

- LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.(CVE-2019-9848)

- LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9850)

- LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9851)

- LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc.
Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.(CVE-2019-9852)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected libreoffice packages.

See Also

http://www.nessus.org/u?4a47f6df

Plugin Details

Severity: Critical

ID: 129133

File Name: EulerOS_SA-2019-1976.nasl

Version: 1.6

Type: local

Published: 9/23/2019

Updated: 4/24/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9851

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:autocorr-en, p-cpe:/a:huawei:euleros:libreoffice-calc, p-cpe:/a:huawei:euleros:libreoffice-core, p-cpe:/a:huawei:euleros:libreoffice-data, p-cpe:/a:huawei:euleros:libreoffice-draw, p-cpe:/a:huawei:euleros:libreoffice-filters, p-cpe:/a:huawei:euleros:libreoffice-graphicfilter, p-cpe:/a:huawei:euleros:libreoffice-gtk2, p-cpe:/a:huawei:euleros:libreoffice-gtk3, p-cpe:/a:huawei:euleros:libreoffice-impress, p-cpe:/a:huawei:euleros:libreoffice-langpack-en, p-cpe:/a:huawei:euleros:libreoffice-math, p-cpe:/a:huawei:euleros:libreoffice-opensymbol-fonts, p-cpe:/a:huawei:euleros:libreoffice-pdfimport, p-cpe:/a:huawei:euleros:libreoffice-pyuno, p-cpe:/a:huawei:euleros:libreoffice-ure, p-cpe:/a:huawei:euleros:libreoffice-ure-common, p-cpe:/a:huawei:euleros:libreoffice-writer, p-cpe:/a:huawei:euleros:libreoffice-x11, p-cpe:/a:huawei:euleros:libreoffice-xsltfilter, p-cpe:/a:huawei:euleros:libreofficekit, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/24/2019

Exploitable With

Core Impact

Metasploit (LibreOffice Macro Python Code Execution)

Reference Information

CVE: CVE-2018-16858, CVE-2019-9848, CVE-2019-9850, CVE-2019-9851, CVE-2019-9852