Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users.
Affects: Odoo 10.0, 11.0 (Community and Enterprise Editions) Component: Odoo Framework Credits: Nils Hamerlinck (Trobz), Swapnesh Shah CVE ID: CVE-2018-14861
I. Background
As of Odoo 8.0, when local passwords are used, the passwords are stored
by default as salted cryptographic hashes (derived via PBKDF2 using
SHA-512 hashing).
In order to protect the cryptographic hashes from being accessed by
users, a special security rule prevents reading the fields where the
password hashes are stored.
II. Problem Description
A programming error made this special security rule ineffective when
the CSV/Excel export mechanism is used.
This is a regression of the correction for Security Advisory
2016-04a-password-export.
By using the CSV export functionality, users with internal "Employee" access
might export the password hashes of other database users, including
those of privileged users.
Exploiting these password hashes to retrieve user passwords is difficult
but not necessarily impossible, for example in the presence of weak
passwords or passwords that may be subject to dictionary attacks.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
No workaround is available, but users that are exclusively authenticated
via remote authentication methods such as LDAP (auth_ldap) are not vulnerable,
as they have no local password.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-6
Improper data access control in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows authenticated users to perform a CSV export of the secure hashed passwords of other users.
Affects: Odoo 10.0, 11.0 (Community and Enterprise Editions)
Component: Odoo Framework
Credits: Nils Hamerlinck (Trobz), Swapnesh Shah
CVE ID: CVE-2018-14861
I. Background
As of Odoo 8.0, when local passwords are used, the passwords are stored
by default as salted cryptographic hashes (derived via PBKDF2 using
SHA-512 hashing).
In order to protect the cryptographic hashes from being accessed by
users, a special security rule prevents reading the fields where the
password hashes are stored.
II. Problem Description
A programming error made this special security rule ineffective when
the CSV/Excel export mechanism is used.
This is a regression of the correction for Security Advisory
2016-04a-password-export.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: "Employee" access required
CVSS3 Score: Medium :: 4.3
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
By using the CSV export functionality, users with internal "Employee" access
might export the password hashes of other database users, including
those of privileged users.
Exploiting these password hashes to retrieve user passwords is difficult
but not necessarily impossible, for example in the presence of weak
passwords or passwords that may be subject to dictionary attacks.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
No workaround is available, but users that are exclusively authenticated
via remote authentication methods such as LDAP (auth_ldap) are not vulnerable,
as they have no local password.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Version 9.0 is not impacted by this vulnerability.
The text was updated successfully, but these errors were encountered: