[SEC] ODOO-SA-2018-08-07-10 (CVE-2018-14859) - Incorrect access control in the... #32510
Labels
Security
security announcements
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Security Advisory - ODOO-SA-2018-08-07-10
Incorrect access control in the password reset component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated users to reset the password of other users by being the first party to use the secure token.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Odoo Framework
Credits: Swapnesh Shah, Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14859
I. Background
The "External Signup" module (auth_signup) allows external users to create
accounts on databases where the feature is installed and enabled. It also
provides a password reset feature, so that users can recover their accounts
by clicking on a secure link received by email.
II. Problem Description
A secret field used to contruct the secure reset password link was not properly
protected againt access by internal users of the systems.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: "Employee" access required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
A malicious internal user (a regular "Employee" account) could trigger a reset
password for a user, and use the value of the secret field to change the password
of other users before they could react to the email. This would work even when
targetting administrator accounts.
The victim would likely notice both a suspicious reset password message and
the fact that they would now be unable to sign in with their usual password,
but possibly not before the attacker was able to abuse the credentials of the
user.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
An administrator may disable the reset password feature to prevent the attack.
As the reset password is a convenient feature exepcted by users registering
on a system, applying the patch or updating is strongly recommended.
Odoo Online servers have been patched as soon as the correction was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: