Weak Master Keys
Fixed in Apache OpenOffice 4.1.13
Description
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.
Severity: Moderate
There are no known exploits of this vulnerability.
A proof-of-concept demonstration exists.
Thanks to the reporter for discovering this issue.
Vendor: The Apache Software Foundation
Versions Affected
All Apache OpenOffice versions 4.1.12 and older are affected.
OpenOffice.org versions may also be affected.
Mitigation
Install Apache OpenOffice 4.1.13 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice download page.
Acknowledgments
The Apache OpenOffice Security Team would like to thank Selma Jabour, OpenSource Security GmbH, Germany on behalf of the German Federal Office for Information Security, for discovering and reporting this attack vector
Further Information
For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.
The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.
