Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call.
Affects: Odoo 9.0 (Community and Enterprise Editions) Component: auth_crypt module Credits: Nils Hamerlinck (Trobz) CVE ID: CVE-2018-14868
I. Background
As of Odoo 8.0, when local passwords are used, the passwords are stored
by default as salted cryptographic hashes (derived via PBKDF2 using
SHA-512 hashing). This is provided by the "Password Encryption" module
(auth_crypt), which is automatically installed.
II. Problem Description
Improper access control in the auth_crypt module allows authenticated
users to change user passwords without any control.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low Authentication: User account required CVSS3 Score: High :: 8.1 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
By crafting a malicious RPC request, remote authenticated attackers
(including portal users) could force a chosen password on any user, without
knowing their current password.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
There is no known workaround, other than restricting remote access to the system
to trustworthy network addresses only. Uninstalling the "Password Encryption"
module (auth_crypt) would work too, with the side-effect of denying access to all
users currently authenticated with hashed passwords.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-7
Incorrect access control in the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authenticated users to change the password of other users without knowing their current password via a crafted RPC call.
Affects: Odoo 9.0 (Community and Enterprise Editions)
Component: auth_crypt module
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14868
I. Background
As of Odoo 8.0, when local passwords are used, the passwords are stored
by default as salted cryptographic hashes (derived via PBKDF2 using
SHA-512 hashing). This is provided by the "Password Encryption" module
(auth_crypt), which is automatically installed.
II. Problem Description
Improper access control in the auth_crypt module allows authenticated
users to change user passwords without any control.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
By crafting a malicious RPC request, remote authenticated attackers
(including portal users) could force a chosen password on any user, without
knowing their current password.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
There is no known workaround, other than restricting remote access to the system
to trustworthy network addresses only. Uninstalling the "Password Encryption"
module (auth_crypt) would work too, with the side-effect of denying access to all
users currently authenticated with hashed passwords.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Versions 10.0 and later are not impacted by this vulnerability.
The text was updated successfully, but these errors were encountered: