CVE-2020-12801 Explained : Impact and Mitigation
Learn about CVE-2020-12801 where LibreOffice defaults to not using encryption on next save for crash-recovered MSOffice encrypted documents. Find out the impacted versions and mitigation steps.
This CVE involves LibreOffice defaulting to not using encryption on next save for crash-recovered MSOffice encrypted documents.
Understanding CVE-2020-12801
What is CVE-2020-12801?
If LibreOffice crashes while an encrypted MSOffice document is open, the recovered document may be saved unencrypted on subsequent saves, leading users to unintentionally save unencrypted MSOffice files.
The Impact of CVE-2020-12801
This vulnerability affects the confidentiality of sensitive data in MSOffice documents, potentially exposing them to unauthorized access.
Technical Details of CVE-2020-12801
Vulnerability Description
LibreOffice defaults to saving crash-recovered MSOffice encrypted documents unencrypted on subsequent saves, posing a risk of data exposure.
Affected Systems and Versions
- Vendor: The Document Foundation
- Product: LibreOffice
- Affected Versions:
- 6-3 series prior to 6.3.6
- 6-4 series prior to 6.4.3
Exploitation Mechanism
The vulnerability occurs when LibreOffice crashes while handling encrypted MSOffice documents, leading to subsequent saves being unencrypted.
Mitigation and Prevention
Immediate Steps to Take
- Update LibreOffice to versions 6.3.6 or later for the 6-3 series, and 6.4.3 or later for the 6-4 series.
- Avoid working on encrypted MSOffice documents in LibreOffice until the software is patched.
Long-Term Security Practices
- Regularly update LibreOffice to the latest versions to ensure security patches are applied.
- Educate users on the importance of data encryption and safe document handling practices.
Patching and Updates
- The Document Foundation has released patches for LibreOffice to address this vulnerability.