New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] ODOO-SA-2017-05-05-1 - Remote Code Execution via Ghostscript vulnerability #16837

Closed
odony opened this Issue May 5, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@odony
Contributor

odony commented May 5, 2017

Security Advisory (ODOO-SA-2017-05-05-1)

Remote Code Execution via Ghostscript vulnerability

Affects: Odoo servers with an (unpatched) Ghostscript installation
Component: Core
Credits: Nils Hamerlinck
OVE ID: OVE-20170505-0003
References:
https://bugs.ghostscript.com/show_bug.cgi?id=697799
https://security-tracker.debian.org/tracker/CVE-2017-8291
https://www.ubuntu.com/usn/usn-3272-1/
https://bugzilla.suse.com/show_bug.cgi?id=1036453

I. Background

A critical security vulnerability was recently found in Ghostscript,
allowing an attacker to bypass the -dSAFER protection and execute
commands in the context of the ghostscript process. All versions of
Ghostscript prior to 9.21 are assumed to be vulnerable. (CVE-2017-8291)

Ghostscript is an interpreter for Adobe Postscript and PDF languages,
commonly used for rendering and converting PS documents. It is often
found on systems that directly connect with printers.

Odoo does not use Ghostscript directly, but may call it indirectly
while processing (E)PS image files, if Ghostscript is found to be
installed.

If you own or operate an Odoo installation that might have a vulnerable
Ghostscript version installed, we urge you to verify that you have
applied all appropriate security patches, as provided by your OS vendor
(see the References above).

II. Problem Description

The issue (CVE-2017-8291) is not an Odoo vulnerability, but Odoo may be
used as an entry point to exploit the Ghostscript vulnerability via
the Python Pillow library, if Ghostscript is installed.

This can turn the original "local" ghostscript vulnerability into a
"remote" vulnerability.

III. Impact

Attack Vector: Network exploitable
Attack Complexity: Low
Authentication: Required
CVSS3 Score: High :: 8.7 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C

An attacker could craft a malicious EPS file and upload it on an Odoo
server with affected Ghostscript version. This could lead to arbitrary
command execution with the privileges of the Odoo service.

Odoo servers that do not include a Ghostscript installation are not at
risk. Please see Section IV about verifying the presence of Ghostscript.

Note that there have been reports of exploits in the wild for the
upstream Ghostscript vulnerability (CVE-2017-8291).

IV. Verifying the presence of Ghostscript

A supported Ghostscript installation will provide one of the following
commands: 'gs', 'gswin32c' or 'gswin64c'.

You can run the command with "--version" to verify the Ghostscript
version. Please refer to the References above or to your OS vendor's
security alerts to obtain the list of corrected versions.

Odoo Online servers are not vulnerable, as they do not have Ghostscript
installed.

V. Workaround

Perform one of the following actions:

A. Uninstall Ghostscript from your system, if you don't need/use it.

B. Apply the following Odoo patch corresponding to your version, or
upgrade to the latest revision, either via GitHub or by downloading
the latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
This patch prevents calling Ghostscript through Odoo, by deactivating
the processing of EPS files inside Odoo (an undocumented feature)

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

Revisions with the workaround:

8.0: 58114e4
9.0: 5e776e7
10.0: 8fbbe04
10.0-ent and 9.0-ent (Enterprise): see 9.0 and 10.0.

VI. Solution

Upgrade Ghostscript to a corrected version, or verify that it has
been already upgraded if you have enabled unattended-upgrades.

Please refer to the References at the top of this advisory or to your
OS vendor's security resources to obtain the list of corrected versions.

VII. Further Information

Please contact our Security Team if you need to further discuss this
Security Advisory:

https://www.odoo.com/page/responsible-disclosure

@odony odony added the Security label May 5, 2017

@odony odony closed this May 5, 2017

@odoo odoo locked and limited conversation to collaborators May 5, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.