CVE-2021-25635 - Improper Certificate Validation in LibreOffice Allows Spoofing of Document Signatures

A recent vulnerability discovered in LibreOffice (CVE-2021-25635) allows an attacker to exploit an improper certificate validation flaw, making it possible to self-sign an Open Document Format (ODF) document with an untrusted signature. The attacker can then modify the document, changing the signature algorithm to an invalid or unknown one, which LibreOffice will present as a valid signature issued by a trusted person. In this article, we will examine how this vulnerability works and the steps needed for a mitigation strategy.

Exploit Details

The issue lies in the way LibreOffice validates ODF document signatures. By default, an attacker can sign an ODF document using a self-generated certificate and the victim will see a warning that the document has a signature that is not trusted. The attacker can then modify the document's signature algorithm to one that is not recognized by LibreOffice, causing the application to display the signature as a valid one issued by a trusted source.

Consider the following example

Step 1: Attacker self-signs an ODF document with an untrusted certificate

<ds:Signature xmlns:ds="http://www.w3.org/200/09/xmldsig#">;
  ...
  <ds:X509IssuerName>CN=Attacker</ds:X509IssuerName>
  ...
</ds:Signature>

Step 2: Attacker modifies the document, changing the signature algorithm to an invalid one

<ds:Signature xmlns:ds="http://www.w3.org/200/09/xmldsig#">;
  ...
  <ds:SignatureMethod Algorithm="http://www.example.com/fake-algorithm"/>;
  ...
</ds:Signature>

When LibreOffice opens the modified document, it will incorrectly display the signature as a valid and trusted one.

Mitigation Strategy

The LibreOffice project has released patched versions of the software that addresses this vulnerability:

You can download the latest versions from the official LibreOffice website

- Download LibreOffice 7..5
- Download LibreOffice 7.1.1

Be cautious when opening documents from unknown sources

- Verify the authenticity of signatures displayed in documents by manually checking the signer's identity

Conclusion

In conclusion, CVE-2021-25635 is a significant vulnerability that allows an attacker to present a modified LibreOffice document with a fake, valid signature issued by a trusted source. Users should make sure to update their LibreOffice installation to the latest version and practice caution when handling documents with signatures.

Original References

- CVE-2021-25635 - National Vulnerability Database
- LibreOffice Security Advisory
- The Document Foundation Blog - LibreOffice 7..5 and 7.1.1 released

Timeline

Published on: 03/21/2025 15:15:35 UTC