Odoo Security Announcement

How does Beopen takes care of security?

BeOpen, Gunther Clauwaert

I. Background

Odoo SA recently became aware of an ongoing brute-force scan attack  targeting Odoo servers that are publicly accessible on the Internet.

If you own or operate an Odoo installation that is publicly accessible,  you are a likely target for this attack. In that case we urge you to verify that you are not using default passwords, that your servers have  not been compromised, and that you have appropriate mitigation strategies in place.

This is particularly true if you have test/dev/staging databases hosted on internet-facing servers, possibly next to your production databases. Such databases are often more likely to use default passwords.

Conclusion: Beopen Hosting services have not been impacted, are not vulnerable, and are closely being monitored.

II. Attack Description

No exploit is involved in this attack, the main entry point is a database with a default login/password combination. Several different IP addresses were used to scan many network blocks, looking for Odoo servers answering to XML-RPC requests on common ports (8069, 80, 443, perhaps others). Some known scanner IPs: 164.132.96.170, 197.2.230.86 Known activity period: January 19, 2017 to January 27, 2017 (ongoing!)

After locating an Odoo server, the scanner tries to obtain the list of available databases by sending an HTTP POST to /xmlrpc/2/db or /xmlrpc/db, and then attempts to login on each database with the default login/password combination: admin/admin.

This is usually visible in the Odoo server logs as multiple failed login attempts for the 'admin' user on each database: (...) Login failed for db:<DB_NAME> login:admin and/or possibly a successful login if the attack succeeded: (...) successful login from 'admin' using database '<DB_NAME>'

As soon as the scanner managed to gain entry to a database using a default admin password, it attempts to install a malicious module from the Odoo Apps Store. This would be visible in the Odoo server logs as follows: (...) Downloading module `upload_github_odoo` from OpenERP Apps (...) Copy downloaded module `upload_github_odoo` to `<LOCAL_PATH>`

This malicious module has been removed from the Apps Store as soon as it was identified, on January 25. The same module was later uploaded with another name, and similarly removed. After installing this module, the attacker would use it to download and install another piece of code to allow remote execution of arbitrary commands, further compromising the machine. This would typically be visible in the server logs as well: (...) Downloading module `<MODULE>` from github (...) Copy downloaded module <MODULE>` to `<LOCAL_PATH>`If successful up to this point, the attacker would be able to remotely  execute arbitrary commands by sending XML-RPC requests.

Conclusion: Beopen tests and validates all modules that can be activated in your Beopen environment and are not been impacted and not vulnerable to the above risks.

III. Impact

After successfully gaining admin access to a vulnerable database, the attacker installed a malicious module to enable remote command execution. This may have been used to execute arbitrary code as the user running the Odoo service, granting access to local files and local services.

Files and environments accessed in this manner may contain sensitive information such as passwords that could allow the user to gain elevated privileges on the hosting environment itself. It is not known whether the attacker has used any of the compromised  installations to actually execute commands.

Conclusion: See conclusions above

IV. Detecting a successful attack

If you have internet-facing Odoo deployments, please read carefully the attack description in section II, and verify your server logs for any occurrence of the scanner IPs or of any of the suspicious log messages.

A compromised database will have an entry labelled "Zip Install" or "upload_github_odoo` in the list of installed modules. We urge you to verify your logs even if you do not believe that you were using default passwords, to be on the safe side!

If one of your databases was compromised, you should assume that your databases and your server files may have been accessed and modified. As a precaution, act as if the whole machine was compromised, and start by immediately taking it offline for analysis and re-installation.

Conclusion: See conclusions above. Additionally all Beopen environments are completely separated from each other in Docker Containers. 

V. Mitigation by Beopen/Odoo

Beopen environments are prepared for such vulnerabilities and took multiple steps to limit the extent of these attacks to improve the safety of Beopen users:

1) The malicious Apps were removed by Odoo as soon as they were identified. This blocked the main escalation step between admin account compromise  and remote command execution. (As of 2017-01-25 11:16 CET +01:00)

2) In order to entirely prevent similar attacks with other malicious Apps, the one-click automatic installation of Odoo Apps has been entirely blocked on the Odoo Apps Store (as of January, 25, 19:40 CET +01:00). This is effective for all Odoo versions, without requiring local patches. This forces all users to perform the installation of Odoo Apps manually for the moment, but most importantly blocks the channel used to distribute the remote privilege code used in this attack.

The one-click installation system may be reactivated in the future, with other security measures in place.

3) Based on an analysis of the activity on the Odoo Apps Store, Odoo SA is collecting the list of IPs that seem to have been compromised (this list cannot be disclosed, for obvious reasons) Whenever these IPs can be traced back to an administrator, Odoo SA is contacting the administrators directly to warn them about the attack.

4) Odoo 8, 9 and 10 have been updated to help server administrators further secure their installations, by blocking the one-click installation of Odoo Apps locally as well. Please refer to Issue #15225 for more details, and the list of corrected revisions. https://github.com/odoo/odoo/issues/15225

5) As of Odoo 9, the default admin/admin combination is not used anymore for new databases created via the Odoo database manager screen. Odoo SA is planning further improvements to the database creation mechanism and password management, such as warning administrators that would still be using default credentials.

6) Extra verification steps will be implemented for modules published on the Odoo Apps Store, some of them automated and some of them manual,  in order to increase the security of the users.

V. Local Mitigation

All Odoo server administrators are strongly encouraged to follow best practices when deploying Odoo services, such as:

- Always secure the super-admin and all admin accounts with strong passwords and unique usernames. Never use default passwords!

Conclusion: Beopen super-admin and all admin accounts are backed with strong passwords and unique usernames

- Restrict access to the database manager once the system is setup

Conclusion: Beopen restricts access to the database manager once the system is setup

- Use appropriate database filters (--db-filter parameter)

ConclusionBeopen uses appropriate databse filters

- Keep installations updated by regularly installing the latest builds, either via GitHub or by downloading the latest version from https://www.odoo.com/page/download or http://nightly.odoo.com

Conclusion: Beopen environments are actually on the latest v10 release.

- Run Odoo behind a web server providing HTTPS termination with a valid SSL certificate

Conclusion: Beopen web servers are standard provided with a Free and valid SSL Certificate (Let's Encypt)

- For shared hosting environments, isolate customer data and files from each other

Conclusion: Customer data and files are separated via unique Docker Containers

- Follow best practices for securing the host operating system itself.

Conclusion: Os patching is included and monitored on a permanent basis

VI. Further Information

Please contact our Team if you need to further discuss this Security Advisory.


Leave a comment

You must be logged in to post a comment.