CVE-2018-10583 was assigned for Information disclosure via SMB link embedded in ODF document
A LibreOffice document with a linked image, which is on a samba share, will cause LibreOffice to automatically initiate a samba connection to retrieve the image. This is analogous to how opening HTML documents which contain links to images on remote web sites are automatically fetched by web browsers. If this is combined with an underlying flaw in Microsoft Windows (NTLM Hash Leaks) then this provides an additional vector by which a windows user password hash can leak. Since LibreOffice 5.4.7, and 6.0.4 in the 6.X series, end users or administrators can disable this functionality to automatically fetch such linked images via "tools->options->security->options->block any links from documents not among the trusted locations". By default this options remains off in those updates. https://www.libreoffice.org/about-us/security/advisories/CVE-2018-10583 https://dylankatz.com/NTLM-Hashes-Microsoft%27s-Ancient-Design-Flaw/ -- To unsubscribe e-mail to: discuss+unsubscr...@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy
