Security Advisory 2014-01-safe-eval
Title: Arbitrary code execution using safe eval expressions Affects: All Odoo (formerly OpenERP) versions Component: Odoo Server Credit: "duesenfranz" GitHub: https://github.com/odoo/odoo/issues/3445 I. Background Odoo includes a sandbox for interpreting dynamic business logic components, such as the definition of workflows, automated actions, or the dynamic expressions used within report templates. The mechanism behind this sandbox is called 'safe eval' and makes the system much more flexible by allowing advanced customizations. Its role is to execute user-provided Odoo business logic, while preventing any undesired effects on the data or the hosting platform - such as could be caused by accident or by malicious users. In order to be allowed to customize any of these dynamic business logic components, one must usually be an administrator of an Odoo database, or have otherwise received elevated privileges. II. Problem Description The default 'safe eval' sandbox environment was not sufficiently sanitized, so an attacker with sufficient privileges might be able to escape the sandbox through the use of specially crafted dynamic expressions. Systems who host Odoo databases for untrusted users are particularly at risk, (e.g. SaaS platforms), as they typically allow users to become administrators of their own Odoo database. This is sufficient to exploit the vulnerability. III. Impact Access Vector: Network exploitable Access Complexity: Medium Authentication: Privileged user account required CVSS Score: 6.7 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) Malicious users with access to an administrator account on an Odoo database might craft special code expressions specifically targeted at escaping the sandbox protection. This could in turn be used to execute arbitrary code as the user running the Odoo service, granting access to local files and local services. Files and environments accessed in this manner may contain sensitive information such as passwords that could allow the user to gain elevated privileges on the hosting machine itself. Exploiting this vulnerability requires remote network access and administrator (or privileged) account on a database hosted on a vulnerable Odoo installation. OpenERP S.A. is not aware of any malicious use if this vulnerability yet. IV. Workaround No workaround is available, but systems that do not provide administrator or otherwise privileged access to untrusted users are not vulnerable. All Odoo Online servers have been patched as soon as the correction was available. V. Solution Apply the patches corresponding to your Odoo installation, or upgrade to the latest revision, either via GitHub or by downloading the latest version from https://www.odoo.com/page/download or http://nightly.odoo.com To apply the patch, change into the **server** directory of your Odoo/OpenERP installation, then execute the patch command, typically: patch -p1 -f < /path/to/the_patch_file.patch VI. Correction details The following list contains the revisions after which the vulnerability is corrected: - 6.0: rev. 61b07b1be79fbd5eb9c55f21a769ed37f025bf92 - 6.1: rev. e7390fc603258c37324c77b7efad741e0c3b9842 - 7.0: rev. 9b1a9c95189d41c1cd6353063a89564f5c37c96d - 8.0: rev. 5e248f09c7d11ee130dc13aab5661618ddb5b777 _______________________________________________ Mailing list: https://launchpad.net/~openerp-community Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
