You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Odoo comes with an auth_crypt module implementing secure
password hashes, instead of the default clear text storage
for passwords.
This module is optional in Odoo 7.0, but installed automatically
as of Odoo 8.0 for new databases. Upgrading an instance from
Odoo 7.0 to Odoo 8.0 does not automatically install it, though.
II. Problem Description
The auth_crypt module did not sufficiently protect the
database field containing the secure password hashes.
III. Impact
A malicious user with read access to the list of users could
make direct RPC calls to the Odoo server and read the secure
password hashes of the users.
The secure password hashes are salted using a random source
of entropy, so they cannot be looked up in rainbow tables.
However it is not impossible that weak passwords could be
retrieved by brute-force attacks or dictionary-based attacks.
In Odoo 8.0 only internal users of the database can possibly
exploit this vulnerability, as portal/external/public users
do not have read access to the users by defualt.
In Odoo 7.0 both internal users and external users could
possibly exploit this vulnerability, if the portal or portal_anonymous modules are installed, as these modules
provide read access to list of users by default.
Odoo S.A. is not aware of any malicious use if this
vulnerability.
Customers using Odoo Online are not vulnerable, as the platform
was updated as soon as the fix was available.
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 3.8 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)
IV. Workaround
For Odoo 7.0, uninstalling the portal module will prevent
exploiting this vulnerability for external users.
There is no workaround to completely prevent exploits
from internal users of the system, short of uninstalling the auth_crypt module itself, which will require resetting
the password of all users using local passwords.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If you installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
odoo
locked and limited conversation to collaborators
Jun 23, 2015
odony
added
Security
security announcements
and removed
Confirmed
the bug was confirmed by testers
OE
the report is linked to a support ticket (opw-...)
labels
Jun 23, 2015
odony
changed the title
[SEC] User access to secure password hashes
[SEC] 2015-password-crypt - User access to secure password hashes
Feb 24, 2016
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Security Advisory (2015-password-crypt)
User access to secure password hashes
Affects: Odoo 7.0 and 8.0
Component: Odoo Addons
Credits: Openinside Co.
I. Background
Odoo comes with an
auth_crypt
module implementing securepassword hashes, instead of the default clear text storage
for passwords.
This module is optional in Odoo 7.0, but installed automatically
as of Odoo 8.0 for new databases. Upgrading an instance from
Odoo 7.0 to Odoo 8.0 does not automatically install it, though.
II. Problem Description
The
auth_crypt
module did not sufficiently protect thedatabase field containing the secure password hashes.
III. Impact
A malicious user with read access to the list of users could
make direct RPC calls to the Odoo server and read the secure
password hashes of the users.
The secure password hashes are salted using a random source
of entropy, so they cannot be looked up in rainbow tables.
However it is not impossible that weak passwords could be
retrieved by brute-force attacks or dictionary-based attacks.
In Odoo 8.0 only internal users of the database can possibly
exploit this vulnerability, as portal/external/public users
do not have read access to the users by defualt.
In Odoo 7.0 both internal users and external users could
possibly exploit this vulnerability, if the
portal
orportal_anonymous
modules are installed, as these modulesprovide read access to list of users by default.
Odoo S.A. is not aware of any malicious use if this
vulnerability.
Customers using Odoo Online are not vulnerable, as the platform
was updated as soon as the fix was available.
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 3.8 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)
IV. Workaround
For Odoo 7.0, uninstalling the
portal
module will preventexploiting this vulnerability for external users.
There is no workaround to completely prevent exploits
from internal users of the system, short of uninstalling the
auth_crypt
module itself, which will require resettingthe password of all users using local passwords.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the latest
version from https://www.odoo.com/page/download or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If you installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: