Digital Signature Spoofing Flaws Uncovered in OpenOffice and LibreOffice

12 October 2021

The maintainers of LibreOffice and OpenOffice have shipped security updates to their productivity software to remediate multiple vulnerabilities that could be weaponized by malicious actors to alter documents to make them appear as if they are digitally signed by a trusted source. The list of the three flaws is as follows — CVE-2021-41830 / CVE-2021-25633 – Content and Macro Manipulation with Double Certificate Attack CVE-2021-41831 / CVE-2021-25634 – Timestamp Manipulation with Signature Wrapping CVE-2021-41832 / CVE-2021-25635 – Content Manipulation with Certificate Validation Attack Successful exploitation of the vulnerabilities could permit an attacker to manipulate the timestamp of signed ODF documents, and worse, alter the contents of a document or self-sign a document with an untrusted signature, which is then tweaked to change the signature algorithm to an invalid or unknown algorithm.

Read full article on The Hacker News

Date:

12 October 2021

Categorie(s):

NEWS

Tag(s):

Digital Signatures, Flaws, IT, Softwares, Spoofing

Preparation: The Less Shiny Side of Incident Response – Joe Gross – ESW #3603 May 2024
Critical GitLab account takeover flaw added to CISA’s KEV Catalog2 May 2024
Microsoft, Google do a victory lap around passkeys2 May 2024
Understanding Scattered Spider, and how they perform cloud-centric identity attacks2 May 2024
Dropbox Sign customer data accessed in breach2 May 2024