[SEC] 2016-07d-unsafe-eval - Stored remote code execution

[odony]

Security Advisory (2016-07d-unsafe-eval)

Stored remote code execution

Affects: Odoo 9.0 (Community and Enterprise Editions)
Component: Discuss and Delivery modules (mail, delivery)
Credits: Colin Newell
OVE ID: OVE-20160725-0006

I. Background

Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.

The mechanism behind this sandbox is called 'safe eval' and keeps the system
safe while allowing advanced customizations. Its role is to execute
user-provided Odoo business logic, while preventing any undesired
effects on the data or the hosting platform - such as could be caused
by accident or by malicious users.

In order to be allowed to customize any of these dynamic business logic
components, one must usually be an administrator of an Odoo database,
or have otherwise received elevated privileges.

II. Problem Description

In several places in Odoo official modules, some customisable dynamic
expressions were interpreted without the protection of the 'safe eval'
sandbox.

Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.

III. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Privileged user account required
CVSS Score: 5.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Malicious users with access to an administrator account on an Odoo database
could use these dynamic expressions to execute arbitrary code as the user
running the Odoo service, granting access to local files and local services.
Files and environments accessed in this manner may contain sensitive
information such as passwords that could allow the user to gain elevated
privileges on the hosting machine itself.

Exploiting this vulnerability requires remote network access and
administrator (or privileged) account on a database hosted on a vulnerable
Odoo installation.

Odoo S.A. is not aware of any malicious use if this vulnerability.

IV. Workaround

No workaround is available, as disabling the "Discuss" module by
removing it from the "addons path" would make many major parts of the
Odoo deployment stop working.

However, systems that do not provide administrator or otherwise
privileged access to untrusted users are not vulnerable.

All Odoo Online servers have been patched as soon as the correction was
available.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

• 9.0: rev. bb1c6bd
• 9.0-ent (Enterprise): see 9.0