LibreOffice LibreLogo Arbitrary Command Execution Vulnerability [CVE-2019-9850]
CVE number – CVE-2019-9850
A vulnerability in LibreOffice could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. The vulnerability exists because the affected software mishandles LibreLogo scripts. An attacker could exploit this vulnerability by persuading a user to open a crafted document. A successful exploit could allow the attacker to execute arbitrary commands on an affected system.LibreOffice has confirmed this vulnerability and released software updates.
Analysis
- To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to open a crafted document.
Safeguards
- Administrators are advised to apply the appropriate updates. Administrators are advised to allow only trusted users to have network access. Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems. Administrators can help protect affected systems from external attacks by using a solid firewall strategy. Administrators are advised to monitor affected systems.
Vendor Announcements
- LibreOffice has issued a security advisory at the following link: CVE-2019-9850
Fixed Software
- LibreOffice has released software updates at the following link: LibreOffice 6.2.6
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.