CVE-2024-6472 Overview
CVE-2024-6472 is a certificate validation vulnerability in LibreOffice that affects the user interface for signed macro verification. When a document containing a signed macro is opened, LibreOffice displays a warning before executing the macro. However, if the certificate verification fails, the warning message could be misinterpreted by users, potentially leading them to enable macros despite the failed verification.
Signed macros are scripts that have been digitally signed by the developer using a cryptographic signature. The security model relies on users making informed decisions based on accurate verification results. This vulnerability undermines that model by presenting verification failures in a confusing manner, which could lead to users inadvertently executing malicious macros.
Critical Impact
Users may unknowingly execute malicious macros due to confusing certificate verification failure messages, potentially leading to system compromise, data theft, or further malware deployment.
Affected Products
- LibreOffice versions 24.2 through 24.2.4
- LibreOffice libreoffice:libreoffice component
- All platforms running affected LibreOffice versions
Discovery Timeline
- 2024-08-05 - CVE-2024-6472 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2024-6472
Vulnerability Analysis
This vulnerability is classified under CWE-295 (Improper Certificate Validation), specifically affecting the user interface component responsible for communicating certificate verification results to end users.
The core issue lies in how LibreOffice presents failed certificate verification attempts. When opening a document with a signed macro, LibreOffice performs cryptographic validation of the signature. If this validation fails—whether due to an invalid certificate, an untrusted certificate authority, certificate expiration, or signature tampering—the resulting warning message failed to clearly communicate the nature and severity of the failure.
The attack requires local access and user interaction, meaning an attacker must convince a victim to open a malicious document. However, the confusing UI makes it significantly more likely that users will bypass security warnings and enable potentially dangerous macros.
Root Cause
The root cause is improper certificate validation feedback in the user interface. The verification logic itself correctly identifies certificate failures, but the presentation layer fails to translate these technical failures into clear, actionable warnings for end users. This creates a gap between the security mechanism's detection capabilities and the user's ability to make informed security decisions.
The issue specifically manifests in LibreOffice versions from 24.2 before 24.2.5, indicating it was likely introduced during development of the 24.2 release branch.
Attack Vector
The attack vector is local with user interaction required. An attacker would craft a malicious LibreOffice document containing a macro with an invalid or maliciously crafted digital signature. The attack flow involves:
- Creating a document with embedded malicious macro code
- Applying an invalid or untrusted certificate signature to the macro
- Distributing the document to potential victims via email, file sharing, or other means
- When opened, the confusing verification failure message may lead users to enable the macro
- Upon enablement, the malicious macro executes with the user's privileges
The vulnerability does not provide automatic code execution—it relies on social engineering amplified by the confusing UI to trick users into enabling macros they should reject.
Detection Methods for CVE-2024-6472
Indicators of Compromise
- LibreOffice documents (.odt, .ods, .odp, .docx, .xlsx, .pptx) with embedded macros from untrusted sources
- Unusual macro execution events in LibreOffice logs following document opens
- Documents with certificates that fail validation but were still allowed to execute
- Presence of recently opened documents from suspicious email attachments or downloads
Detection Strategies
- Monitor for LibreOffice processes spawning unexpected child processes after document opens
- Implement endpoint detection rules for macro-enabled document execution patterns
- Deploy SentinelOne behavioral AI to detect post-exploitation activity from malicious macro payloads
- Review LibreOffice security logs for certificate verification failures followed by macro execution
Monitoring Recommendations
- Enable enhanced logging for LibreOffice macro execution events
- Configure SentinelOne to monitor document application child process creation
- Implement network monitoring for suspicious outbound connections following document opens
- Track file hash reputation for documents with embedded macros
How to Mitigate CVE-2024-6472
Immediate Actions Required
- Update LibreOffice to version 24.2.5 or later immediately
- Configure LibreOffice macro security to "High" or "Very High" to restrict macro execution
- Educate users about the risks of enabling macros from untrusted sources
- Consider temporarily disabling macro execution organization-wide until patching is complete
Patch Information
LibreOffice has addressed this vulnerability in version 24.2.5. The patch improves the certificate verification user interface to clearly communicate verification failures, making it easier for users to understand when a macro signature cannot be trusted. Organizations should update to this version or later as soon as possible.
For detailed patch information, refer to the LibreOffice Security Advisory CVE-2024-6472.
Workarounds
- Set macro security level to "Very High" which only allows macros from trusted file locations
- Disable all macros by setting Tools → Options → LibreOffice → Security → Macro Security to "Very High"
- Remove untrusted certificates from the LibreOffice certificate store
- Use organization-wide group policies to enforce macro restrictions pending patching
# Configuration example - Disable macros via registrymodifications.xcu
# Add to LibreOffice user profile configuration
# Location: ~/.config/libreoffice/4/user/registrymodifications.xcu
# Set macro security level to Very High (4)
# <item oor:path="/org.openoffice.Office.Common/Security/Scripting">
# <prop oor:name="MacroSecurityLevel" oor:op="fuse"><value>4</value></prop>
# </item>
# Alternatively, restrict via command line deployment
libreoffice --infilter="macro_security_level=4"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
