Sign in
Try it free
  1. Mailing Lists
  2. Community
  3. Re: Odoo Security Advisory - 2015-password-crypt

Community mailing list archives

community@mail.odoo.com

Browse archives

Re: Odoo Security Advisory - 2015-password-crypt

Re: Odoo Security Advisory - 2015-password-crypt

Re: Odoo Security Advisory - 2015-password-crypt

by
AVANZOSC, S.L., Ana Juaristi Olalde
- 06/23/2015 15:57:13
+1 David Arnold

Thank you very much Olivier!!!

2015-06-23 19:43 GMT+02:00 David Arnold <dar@devco.co>:
Thanks, this kind of security advisories is VERY MUCH WELCOMED!!! Thanks a lot!

El mar., 23 jun. 2015 a las 11:50, Olivier Dony (<odo@odoo.com>) escribió:
Security Advisory                          2015-password-crypt

Title: User access to secure password hashes

Affects: Odoo 7.0 and 8.0
Component: Odoo Addons
Credits: Openinside Co.

GitHub: https://github.com/odoo/odoo/issues/7241


I.   Background

Odoo comes with an `auth_crypt` module implementing secure
password hashes, instead of the default clear text storage
for passwords.

This module is optional in Odoo 7.0, but installed automatically
as of Odoo 8.0 for new databases. Upgrading an instance from
Odoo 7.0 to Odoo 8.0 does not automatically install it, though.


II.  Problem Description

The `auth_crypt` module did not sufficiently protect the
database field containing the secure password hashes.


III. Impact

A malicious user with read access to the list of users could
make direct RPC calls to the Odoo server and read the secure
password hashes of the users.

The secure password hashes are salted using a random source
of entropy, so they cannot be looked up in rainbow tables.
However it is not impossible that weak passwords could be
retrieved by brute-force attacks or dictionary-based attacks.

In Odoo 8.0 only internal users of the database can possibly
exploit this vulnerability, as portal/external/public users
do not have read access to the users by defualt.

In Odoo 7.0 both internal users and external users could
possibly exploit this vulnerability, if the `portal` or
`portal_anonymous` modules are installed, as these modules
provide read access to list of users by default.

Odoo S.A. is not aware of any malicious use if this
vulnerability.

Customers using Odoo Online are not vulnerable, as the platform
was updated as soon as the fix was available.

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 3.8 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)


IV.  Workaround

For Odoo 7.0, uninstalling the `portal` module will prevent
exploiting this vulnerability for external users.

There is no workaround to completely prevent exploits
from internal users of the system, short of uninstalling the
`auth_crypt` module itself, which will require resetting
the password of all users using local passwords.


V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the latest
version from https://www.odoo.com/page/download or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

         patch -p0 -f

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe




--
CEO Avanzosc, S.L : Office phone / Tfono oficina: (+34) 943 02 69 02
Ana Juaristi Olalde : Personal phone: 677 93 42 59. User/usuario skype: Avanzosc
www.openerpsite.com


El contenido de esta comunicación y de toda su documentación anexa es confidencial y se dirige exclusivamente a su destinatario. El uso no autorizado de esta información está prohibido por la legislación vigente. Si usted no es el destinatario le rogamos nos lo indique, no comunique su contenido a terceros y proceda a su destrucción. Disculpe las molestias que le haya ocasionado la recepción indebida de este e-mail. Sus datos figuran en un fichero cuyo titular es Avanzosc, S.L., a quien usted puede dirigirse para ejercer sus derechos de acceso, rectificación, cancelación y oposición en Klara Donea 13, 20720, Azkoitia (Gipuzkoa), Tef. 943 02 69 02 - administracion@avanzosc.es

Komunikazio honen edukia eta dokumentazio erantsia konfidentziala da eta hartzaileak bakarrik jaso beharko luke. Indarrean dagoen legeriak debekatu egiten du bertan eskainitako informazioa baimenik gabe erabiltzea. Komunikazioa zuri iritsi bazaizu, baina zu ez bazara hartzailea, mesedez, guri jakinarazi, eta jasotako informazioa ez inori jakinarazi eta suntsitu. Barkatu okerreko email hau jasotzeak eragindako eragozpenak. Zure datuak Avanzosc, S.L. enpresaren fitxategietan sartuta daude. Zure datuak atzitzea eska dezakezu, bai eta, datuak zuzentzea, ezereztea eta tratamenduari aurka egitea ere. Horretarako, enpresara jo dezakezu, helbide honetan: Klara Donea 13 20720, Azkoitia (Gipuzkoa), telefonoa: 943 02 69 02 - administracion@avanzosc.es
 This message and all documents attached to it are confidential and intended only for the person or entity to which it is addressed. Any use of this information by unauthorised persons is prohibited under current legislation. If you received this message by error, please advise us, destroy it and refrain from communicating its contents to third parties. We apologise for any inconvenience receiving this email improperly may cause to you. Your personal data are included in a file owned by Avanzosc, S.L. If you want to exercise your rights of access, correction, erasure and objection you can contact the Controller at Klara Donea 13 20720, Azkoitia (Gipuzkoa), T: 943 02 69 02 – administracion@avanzosc.es

Reference