Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2020-13958

CVE-2020-13958: Apache OpenOffice RCE Vulnerability

CVE-2020-13958 is a remote code execution vulnerability in Apache OpenOffice that enables attackers to execute files via malicious hyperlinks in documents. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2020-13958 Overview

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target user's file system. These hyperlinks can be triggered unconditionally, enabling potential arbitrary code execution when a victim opens a malicious document. The vulnerability exploits the document event handler mechanism, allowing internal protocols to be called without proper user confirmation.

Critical Impact

Attackers can craft malicious OpenOffice documents with hyperlinks that automatically execute local programs, potentially leading to complete system compromise when users open seemingly innocuous documents.

Affected Products

  • Apache OpenOffice (all versions prior to the security fix)

Discovery Timeline

  • 2020-11-17 - CVE CVE-2020-13958 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-13958

Vulnerability Analysis

This vulnerability stems from improper handling of scripting events and hyperlinks within Apache OpenOffice documents. The flaw allows attackers to embed specially crafted hyperlinks that reference executables on the target user's local file system. When a victim opens a malicious document, these hyperlinks can be triggered automatically through document event handlers without requiring explicit user interaction beyond opening the document.

The attack requires local access in terms of delivering the malicious document to the target system, but once opened, the exploitation is automatic. This represents a significant security boundary violation as office documents should not be able to execute arbitrary local programs. The vulnerability enables high impact across confidentiality, integrity, and availability, as successful exploitation can lead to complete system compromise depending on the executable that is triggered.

Root Cause

The root cause lies in the insufficient validation and restriction of internal protocol handlers within document scripting events. Apache OpenOffice failed to properly sanitize hyperlink targets in event handlers, allowing references to local file system executables. The application did not require explicit user confirmation (such as a control-click) before following hyperlinks that could result in code execution.

Attack Vector

The attack vector involves delivering a malicious OpenOffice document to the target user through common channels such as email attachments, file sharing services, or web downloads. The document contains embedded hyperlinks pointing to executables on the target's file system, configured to trigger via document events such as document open events.

When the victim opens the document, the scripting event handler automatically processes the malicious hyperlink, causing the referenced executable to run without additional user interaction. This attack requires user interaction to open the document but does not require any special privileges on the target system.

Detection Methods for CVE-2020-13958

Indicators of Compromise

  • Unexpected process execution originating from soffice.exe or OpenOffice-related processes
  • OpenOffice document files containing suspicious event handlers or hyperlinks referencing local executables
  • Unusual network activity or file system modifications following the opening of OpenOffice documents
  • Document metadata containing scripting events with file:// protocol references

Detection Strategies

  • Monitor process creation events for child processes spawned by OpenOffice applications
  • Implement file inspection rules to scan incoming documents for embedded hyperlinks referencing local file paths
  • Deploy endpoint detection and response (EDR) solutions to correlate document opens with subsequent suspicious process activity
  • Use application whitelisting to prevent unauthorized executables from being launched via document hyperlinks

Monitoring Recommendations

  • Enable detailed logging for OpenOffice application events and process execution
  • Implement Security Information and Event Management (SIEM) rules to detect anomalous parent-child process relationships involving office applications
  • Monitor for documents containing scripting events or macro-like behaviors in email gateways
  • Track file system access patterns following document opens to identify potential exploitation attempts

How to Mitigate CVE-2020-13958

Immediate Actions Required

  • Update Apache OpenOffice to the latest patched version immediately
  • Implement strict email filtering to quarantine potentially malicious OpenOffice documents
  • Educate users about the risks of opening untrusted documents
  • Consider disabling macros and scripting features in OpenOffice until patches are applied

Patch Information

Apache has released security patches that address this vulnerability. In fixed versions, no internal protocol may be called from the document event handler, and other hyperlinks require a control-click before activation. Users should update to the latest version of Apache OpenOffice as documented in the Apache OpenOffice security announcement.

Workarounds

  • Configure organizational policies to block or quarantine OpenOffice document attachments from untrusted sources
  • Disable or restrict document scripting and event handler functionality through OpenOffice security settings
  • Use application sandboxing or containerization to limit the impact of potential exploitation
  • Implement strict application control policies to prevent unauthorized executables from running

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.