← Back to team overview

openerp-community team mailing list archive

Odoo Security Advisory - 2014-01-safe-eval


Security Advisory                                     2014-01-safe-eval

Title: Arbitrary code execution using safe eval expressions

Affects: All Odoo (formerly OpenERP) versions
Component: Odoo Server
Credit: "duesenfranz"

GitHub: https://github.com/odoo/odoo/issues/3445

I.   Background

Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.
The mechanism behind this sandbox is called 'safe eval' and makes the system
much more flexible by allowing advanced customizations. Its role is to
execute user-provided Odoo business logic, while preventing any undesired
effects on the data or the hosting platform - such as could be caused
by accident or by malicious users.

In order to be allowed to customize any of these dynamic business logic
components, one must usually be an administrator of an Odoo database,
or have otherwise received elevated privileges.

II.  Problem Description

The default 'safe eval' sandbox environment was not sufficiently sanitized,
so an attacker with sufficient privileges might be able to escape the sandbox
through the use of specially crafted dynamic expressions.

Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.

III. Impact

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Malicious users with access to an administrator account on an Odoo database
might craft special code expressions specifically targeted at escaping
the sandbox protection.
This could in turn be used to execute arbitrary code as the user
running the Odoo service, granting access to local files and local services.
Files and environments accessed in this manner may contain sensitive
information such as passwords that could allow the user to gain elevated
privileges on the hosting machine itself.

Exploiting this vulnerability requires remote network access and
administrator (or privileged) account on a database hosted on a vulnerable
Odoo installation.

OpenERP S.A. is not aware of any malicious use if this vulnerability yet.

IV.  Workaround

No workaround is available, but systems that do not provide administrator
or otherwise privileged access to untrusted users are not vulnerable.

All Odoo Online servers have been patched as soon as the correction was

V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the latest
version from https://www.odoo.com/page/download or http://nightly.odoo.com

To apply the patch, change into the **server** directory of your Odoo/OpenERP
installation, then execute the patch command, typically:

      patch -p1 -f < /path/to/the_patch_file.patch

VI.  Correction details

The following list contains the revisions after which the vulnerability
is corrected:

- 6.0: rev. 61b07b1be79fbd5eb9c55f21a769ed37f025bf92
- 6.1: rev. e7390fc603258c37324c77b7efad741e0c3b9842
- 7.0: rev. 9b1a9c95189d41c1cd6353063a89564f5c37c96d
- 8.0: rev. 5e248f09c7d11ee130dc13aab5661618ddb5b777