How To Fix Digital Signature Spoofing Vulnerabilities In LibreOffice- CVE-2021-25633, CVE-2021-25634, CVE-2021-25635?

On Oct 11, LibreOffice rolled out security updates to fix new digital signature spoofing vulnerabilities in the LibreOffice suite. Let’s see the impact of Digital Signature Spoofing attacks and how to fix the three new digital signature spoofing vulnerabilities in LibreOffice tracked as CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635.

Summary Of The New Digital Signature Spoofing Vulnerabilities In LibreOffice:

A total of three vulnerabilities were recently discovered on LibreOffice, which could be used to manipulate the content of the documents to make them appear as if they are digitally signed by a trusted source.

#1. CVE-2021-25633:

LibreOffice supports digital signatures of ODF documents to retain the integrity of the document. This feature confirms the recipient of the document that no alteration has occurred since the last signing.

This vulnerability allows attackers to manipulate content to carry out a Double Certificate Attack. An attacker could leverage this CVE-2021-25633 Double Certificate vulnerability to manipulate the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, making the document appear as if the document is digitally signed with a trusted certificate.

This vulnerability has been fixed in LibreOffice 7.0.6/7.1.2

#2. CVE-2021-25634:

This vulnerability allows attackers to manipulate timestamps to carry out the Signature Wrapping Attack. An attacker could leverage this CVE-2021-25634 Signature Wrapping vulnerability to insert an additional signing time timestamp, making an invalid or expired certificate appear as a valid one.

This vulnerability has been fixed in LibreOffice 7.0.6/7.1.2

#3. CVE-2021-25635:

This vulnerability allows attackers to manipulate content to carry out the Certificate Validation Attack. An attacker could leverage this CVE-2021-25633 Certificate Validation vulnerability to sign an ODF document with a self-signed certificate or a certificate issued by an untrusted certificate authority, and then the attacker would change the signature algorithm with an invalid algorithm. This allows attackers to incorrectly present a signature with an unknown algorithm as a valid signature issued by a trusted party.

This vulnerability has been fixed in LibreOffice v7.0.5/7.1.1.

How To Fix Digital Signature Spoofing Vulnerabilities In LibreOffice?

All three vulnerabilities CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635, can be fixed by upgrading to LibreOffice to 7.1.2. It is always a good practice to upgrade applications to the latest stable version. Let's see how to upgrade LibreOffice to v 7.2.1.2.

How to upgrade LibreOffice to the latest version?

Step 1. Verify the version of LibreOffice on your Ubuntu or Linux Mint

Run this command to check the version of LibreOffice.

$ LibreOffice –version

Step 2. LibreOffice version info

Step 3. Add the PPA repository of LibreOffice and update the cache

Run this command to add the PPA repository of LibreOffice and update the cache on Ubuntu or Linux Mint.

$ sudo add-apt-repository ppa:libreoffice/ppa && sudo apt update

Step 4. Install LibreOffice from PPA on Ubuntu or Linux Mint

Install the latest version of LibreOffice on Ubuntu.

$ sudo apt install libreoffice

Step 5. Verify the version information of LibreOffice after upgradation

Run this command on CLI to check the version information of LibreOffice.

$ LibreOffice –version

Step 6. LibreOffice version info after the upgrade

We hope this post helps you in fixing the three new digital signature spoofing vulnerabilities in LibreOffice tracked as CVE-2021-25633, CVE-2021-25634, and CVE-2021-25635.

Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.