BeOpen Security - API

Security update ODOO-SA-2017-06-02-1, what is the impact for our customers?

BeOpen-IT (Eezee), Gunther Clauwaert

June 6th, 2017

Karim Boukabbouz from IBS Noord Africa and Nils Hamerlinckt announced recently that files that did not belong too Odoo modules get access to Odoo.

Problem Description?

The Odoo framework exposes an API to access files included within any modules. This API is used for loading resources, images or source code. The Odoo core includes features such as reports and menus that require files accessed through this API. In some cases, these features allow users or administrators to control the file paths to use.

What is the impact?

The file access API (tools.file_open) does not properly sanitize the requested file paths, and could grant access to files that do not belong to Odoo modules.

Malicious users may trick some of the components accessing this API to request arbitrary files from the local filesystem on which Odoo is running. At least one of these components can be used without requiring elevated privileges (a normal user access is sufficient).

This could allow an attacker to read any local file that is currently readable with the system privileges of the Odoo service. This could include sensitive files containing passwords, etc.

Odoo S.A. is not aware of any malicious use if this vulnerability yet, but the vulnerability was publicly disclosed by a 3rd party without coordination with Odoo S.A.

What should I do to protect myself?

Attackers exploiting this vulnerability can only access files readable by the system user executing Odoo. Sensitive files might therefore be protected by using filesystem-level permissions to block access to the Odoo user.

It is very hard to effectively secure a system in this manner, so applying the patch or updating is strongly recommended.

Odoo Online servers have been patched as soon as the vulnerability was announced.

What did BeOpen do?

BeOpen servers have been patched as soon as the vulnerability was announced.

- The BeOpen Security Team

Leave a comment

You must be logged in to post a comment.