Security Advisory (2015-password-crypt)

User access to secure password hashes

Affects: Odoo 7.0 and 8.0
Component: Odoo Addons
Credits: Openinside Co.

I. Background

Odoo comes with an auth_crypt module implementing secure
password hashes, instead of the default clear text storage
for passwords.

This module is optional in Odoo 7.0, but installed automatically
as of Odoo 8.0 for new databases. Upgrading an instance from
Odoo 7.0 to Odoo 8.0 does not automatically install it, though.

II. Problem Description

The auth_crypt module did not sufficiently protect the
database field containing the secure password hashes.

III. Impact

A malicious user with read access to the list of users could
make direct RPC calls to the Odoo server and read the secure
password hashes of the users.

The secure password hashes are salted using a random source
of entropy, so they cannot be looked up in rainbow tables.
However it is not impossible that weak passwords could be
retrieved by brute-force attacks or dictionary-based attacks.

In Odoo 8.0 only internal users of the database can possibly
exploit this vulnerability, as portal/external/public users
do not have read access to the users by defualt.

In Odoo 7.0 both internal users and external users could
possibly exploit this vulnerability, if the portal or
portal_anonymous modules are installed, as these modules
provide read access to list of users by default.

Odoo S.A. is not aware of any malicious use if this
vulnerability.

Customers using Odoo Online are not vulnerable, as the platform
was updated as soon as the fix was available.

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 3.8 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C)

IV. Workaround

For Odoo 7.0, uninstalling the portal module will prevent
exploiting this vulnerability for external users.

There is no workaround to completely prevent exploits
from internal users of the system, short of uninstalling the
auth_crypt module itself, which will require resetting
the password of all users using local passwords.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the latest
version from https://www.odoo.com/page/download or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If you installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

• 7.0: rev. 856bc6f
• 8.0: rev. 8d750ec