Community mailing list archives

community@mail.odoo.com

Odoo Security Advisory - 2015-unsafe-eval

by
Olivier Dony (odo)
- 06/23/2015 12:43:58
Security Advisory                                   2015-unsafe-eval


Title: Arbitrary code execution using Python expressions

Affects: All Odoo (formerly OpenERP) versions
Component: Odoo Server, Odoo Addons
Credits: Craig Gowing & Ondřej Kuzník, credativ Ltd

GitHub: https://github.com/odoo/odoo/issues/7243


I.   Background

Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.

The mechanism behind this sandbox is called 'safe eval' and keeps the system
safe while allowing advanced customizations. Its role is to execute
user-provided Odoo business logic, while preventing any undesired
effects on the data or the hosting platform - such as could be caused
by accident or by malicious users.

In order to be allowed to customize any of these dynamic business logic
components, one must usually be an administrator of an Odoo database,
or have otherwise received elevated privileges.


II.  Problem Description

In several places in the Odoo framework and in some of the Odoo
official modules, some customisable dynamic expressions were interpreted
without the protection of the 'safe eval' sandbox.

Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.


III. Impact

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Malicious users with access to an administrator account on an Odoo database
could use these dynamic expressions to execute arbitrary code as the user
running the Odoo service, granting access to local files and local services.
Files and environments accessed in this manner may contain sensitive
information such as passwords that could allow the user to gain elevated
privileges on the hosting machine itself.

Exploiting this vulnerability requires remote network access and
administrator (or privileged) account on a database hosted on a vulnerable
Odoo installation.

Odoo S.A. is not aware of any malicious use if this vulnerability.


IV.  Workaround

No workaround is available, but systems that do not provide administrator
or otherwise privileged access to untrusted users are not vulnerable.

All Odoo Online servers have been patched as soon as the correction was
available.


V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the latest
version from https://www.odoo.com/page/download or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

          patch -p0 -f