Community mailing list archives
Re: Odoo Security Advisory - 2015-password-cryptby
El Aleman, David Arnold
Thanks, this kind of security advisories is VERY MUCH WELCOMED!!! Thanks a lot!
El mar., 23 jun. 2015 a las 11:50, Olivier Dony (<firstname.lastname@example.org>) escribió:
Security Advisory 2015-password-crypt Title: User access to secure password hashes Affects: Odoo 7.0 and 8.0 Component: Odoo Addons Credits: Openinside Co. GitHub: https://github.com/odoo/odoo/issues/7241 I. Background Odoo comes with an `auth_crypt` module implementing secure password hashes, instead of the default clear text storage for passwords. This module is optional in Odoo 7.0, but installed automatically as of Odoo 8.0 for new databases. Upgrading an instance from Odoo 7.0 to Odoo 8.0 does not automatically install it, though. II. Problem Description The `auth_crypt` module did not sufficiently protect the database field containing the secure password hashes. III. Impact A malicious user with read access to the list of users could make direct RPC calls to the Odoo server and read the secure password hashes of the users. The secure password hashes are salted using a random source of entropy, so they cannot be looked up in rainbow tables. However it is not impossible that weak passwords could be retrieved by brute-force attacks or dictionary-based attacks. In Odoo 8.0 only internal users of the database can possibly exploit this vulnerability, as portal/external/public users do not have read access to the users by defualt. In Odoo 7.0 both internal users and external users could possibly exploit this vulnerability, if the `portal` or `portal_anonymous` modules are installed, as these modules provide read access to list of users by default. Odoo S.A. is not aware of any malicious use if this vulnerability. Customers using Odoo Online are not vulnerable, as the platform was updated as soon as the fix was available. Access Vector: Network exploitable Access Complexity: Medium Authentication: Privileged user account required CVSS Score: 3.8 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C) IV. Workaround For Odoo 7.0, uninstalling the `portal` module will prevent exploiting this vulnerability for external users. There is no workaround to completely prevent exploits from internal users of the system, short of uninstalling the `auth_crypt` module itself, which will require resetting the password of all users using local passwords. V. Solution Apply the patches corresponding to your Odoo installation, or upgrade to the latest revision, either via GitHub or by downloading the latest version from https://www.odoo.com/page/download or http://nightly.odoo.com To apply the patch, change into the main directory of your Odoo installation (the one containing "openerp" and "addons" directories), then execute the patch command, typically: patch -p0 -f