Severe RCE Flaw Disclosed in Popular LibreOffice and OpenOffice Software (Feb 5, 2019)
Security researcher, Alex Infuhr, discovered a severe Remote Code Execution (RCE) vulnerability in open-source office suites "LibreOffice" and "Apache OpenOffice." This vulnerability could be triggered by opening a malicious OpenDocument Text (ODT) file and exploiting a directory traversal flaw, "CVE-2018-16858," that executes a specific python library in the software. The python file "pydoc.py," that is included in LibreOffice's python interpreter, will accept arbitrary commands that allows a threat actor to trick the interpreter into executing a malicious payload. This vulnerability affects both Windows and Linux operating systems.
Recommendation: LibreOffice patched this issue and released a new version, 6.0.7/6.1.3, so it is suggested to update your system to the most recent version. OpenOffice has yet to release a patch to this vulnerability. Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.