Security Advisory: CVE-2016-1513 Memory Corruption Vulnerability (Impress Presentations)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Security Advisory: CVE-2016-1513 Memory Corruption Vulnerability (Impress Presentations)

Dennis E. Hamilton-2
The [hidden email] list is the list of record for security advisories from the Apache OpenOffice project, along with its use for other announcements from the project.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


CVE-2016-1513
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1513>
Apache OpenOffice Advisory
<https://www.openoffice.org/security/cves/CVE-2016-1513.html>

Title: Memory Corruption Vulnerability (Impress Presentations)

Version 1.0
Announced July 21, 2016

Description

An OpenDocument Presentation .ODP or Presentation Template
.OTP file can contain invalid presentation elements that lead
to memory corruption when the document is loaded in Apache
OpenOffice Impress.  The defect may cause the document to
appear as corrupted and OpenOffice may crash in a recovery-
stuck mode.  A crafted exploitation of the defect can allow an
attacker to cause denial of service (memory corruption and
application crash) and possible execution of arbitrary code.

Severity: Medium

    There are no known exploits of this vulnerability.
    A proof-of-concept demonstration exists.

Vendor: The Apache Software Foundation

Versions Affected:

    All Apache OpenOffice versions 4.1.2 and older
    are affected.  OpenOffice.org versions are also
    affected.
   
Mitigation:

There is no updated download currently available to
mitigate this vulnerability.  Until a hot fix or
maintenance release is available, users should be
vigilant and employ workarounds.

A source-code patch that blocks the vulnerability
has been developed and is available for developers
at <https://bz.apache.org/ooo/show_bug.cgi?id=127045>.

Antivirus products can detect documents attempting to
exploit this vulnerability by employing Snort Signature
IDs 35828-35829.

Defenses and Work-Arounds:

For defects such as those involved in CVE-2016-1513,  
documents can be crafted to cause memory corruption enough
to crash Apache OpenOffice Impress.  However, the conditions
under which arbitrary code can be executed are complex and
difficult to achieve in an undetected manner.

An important layer of defense for all such cases is to
avoid operating Apache OpenOffice (and any other personal
productivity programs) under a computer account that has
administrative privileges of any kind.  While installation
of Apache OpenOffice requires elevated privileges and user
permission on platforms such as Microsoft Windows, operation
of the software does not.  

Keeping antivirus/antimalware software current is also
important. This will serve to identify and distinguish
suspicious documents that involve the exploit, avoiding
confusion with documents that are damaged and/or fail
for other reasons.

Impress cannot be used to directly produce documents having the
CVE-2016-1513-related defect.  Impress-authored .ODP and .OTP
documents of an user's own that exhibit any of these characteristics
are not the result of an exploit.  They may be consequences
of a separate Impress defect that should be reported.  

For .ODP and .OTP files from unknown or suspicious sources,
any automatic closing on opening or failing of OpenOffice
Impress can be checked by opening the file in an OpenDocument
Presentation application that is not vulnerable to the
defective document formatting involved in CVE-2016-1513.  
Current releases of LibreOffice and Microsoft Office PowerPoint
(for .ODP files), including PowerPoint Online, are known
to avoid the defect.  Other ODF-supporting software may be
successful. The resulting presentation may appear corrupted
or incomplete and need not reflect an actual exploit attempt.  
Saving the document as a new presentation file will be
exploit-free either way.

To report a suspicious document from an external source and
for which OpenOffice Impress crashes, preserve the file exactly
and report to <mailto:[hidden email]>.  
Await further instructions for submission of the file itself.
Do not post files having suspected exploits to mailing lists,
the issue-reporting system, or any other public location.

Further Information:

For additional information and assistance, consult the Apache
OpenOffice Community Forums, <https://forum.openoffice.org/> or
make requests to the <mailto:[hidden email]> public
mailing list.  Defects not involving suspected security
vulnerabilities can be reported via
<http://www.openoffice.org/qa/issue_handling/pre_submission.html>.

     
The latest information on Apache OpenOffice security bulletins
can be found at the Bulletin Archive page
<http://www.openoffice.org/security/bulletin.html>.

Credits:

The Apache OpenOffice project acknowledges the discovery and
analysis for CVE-2016-1513 by Yves Younan and Richard Johnson
of Cisco Talos.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXkCdsAAoJEPluif/UVmKKxLMH/3UwkVym0fzS46XNGm1TxO+H
RWzEZWnDaR3QUmDHkOasAacEtFdkEBxRSg/iE4Cwnlpp+Bx52HOCZq8ArQQZeTEJ
cRwKuj/5eVha/Kcf1JiXQ8EnFs4WbNl6zssKG9MTLB20AJ+5JhFwPxWeca1KlTXP
E6Ib0gj1WONmJBRG6zXfAyrreGlT3dj4Yz0UECtTY3UCaVBt8JjdG65DNHc/UjxH
a4IZ/cL4JLKV/9lEEo80xng7dq6tLsbPl2Z0PnC0jqm74Tl+UQe0NYYdWAaFa+ZQ
MtT8VdwKpW0jSeOWa4lDcLSrLcgsyHTGbqZtppvyR/whb/4yzeeXPu+pbIelnWo=
=CyAD
-----END PGP SIGNATURE-----