Community mailing list archives

Odoo Security Advisory - 2015-password-crypt

Olivier Dony (odo)
- 06/23/2015 12:43:57
Security Advisory                          2015-password-crypt

Title: User access to secure password hashes

Affects: Odoo 7.0 and 8.0
Component: Odoo Addons
Credits: Openinside Co.


I.   Background

Odoo comes with an `auth_crypt` module implementing secure
password hashes, instead of the default clear text storage
for passwords.

This module is optional in Odoo 7.0, but installed automatically
as of Odoo 8.0 for new databases. Upgrading an instance from
Odoo 7.0 to Odoo 8.0 does not automatically install it, though.

II.  Problem Description

The `auth_crypt` module did not sufficiently protect the
database field containing the secure password hashes.

III. Impact

A malicious user with read access to the list of users could
make direct RPC calls to the Odoo server and read the secure
password hashes of the users.

The secure password hashes are salted using a random source
of entropy, so they cannot be looked up in rainbow tables.
However it is not impossible that weak passwords could be
retrieved by brute-force attacks or dictionary-based attacks.

In Odoo 8.0 only internal users of the database can possibly
exploit this vulnerability, as portal/external/public users
do not have read access to the users by defualt.

In Odoo 7.0 both internal users and external users could
possibly exploit this vulnerability, if the `portal` or
`portal_anonymous` modules are installed, as these modules
provide read access to list of users by default.

Odoo S.A. is not aware of any malicious use if this

Customers using Odoo Online are not vulnerable, as the platform
was updated as soon as the fix was available.

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 3.8 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

IV.  Workaround

For Odoo 7.0, uninstalling the `portal` module will prevent
exploiting this vulnerability for external users.

There is no workaround to completely prevent exploits
from internal users of the system, short of uninstalling the
`auth_crypt` module itself, which will require resetting
the password of all users using local passwords.

V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the latest
version from or

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

         patch -p0 -f