Odoo Server (MOVED TO GITHUB)

[OpenERP-11:auth.01] Unauthenticated access using direct RPC calls

Bug #832601 reported by Olivier Dony (Odoo)
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Odoo Server (MOVED TO GITHUB)
Fix Released
Critical
Unassigned
Odoo Server (MOVED TO GITHUB) 6.0.3

Bug Description

OpenERP-11:auth.01 Security Advisory

Title: Unauthenticated access using direct RPC calls

Component: openobject-server
Credits: Martin Collins
Affects: OpenERP v6.0.0 to 6.0.2
Corrected: 2011-04-28 (included in OpenERP v6.0.3)

I. Background

OpenERP server is accessible using RPC protocols (by default XML-RPC on port 8069 and NET-RPC on 8070), not only for client access (GTK or Web server) but also for any kind of direct inter-operation with external systems.

Several remote services are available using this RPC interface, among which the /object service that allows remote method calls on most ORM objects (i.e. OpenERP business data objects).

II. Problem Description

A programming error was discovered in the authentication layer of version 6.0 that could allow RPC requests directly sent to the /object service to proceed without being properly authenticated.

III. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit

An attacker could remotely execute operations as any user of the system, including the administrator, if using XML-RPC manually.

The OpenERP clients (GTK, Web) do perform a call to the /common/login service to properly authenticate the user before executing further remote operations. This prevents any possible unauthenticated access when using the official clients.

In addition, the 'base_crypt' module that implements encrypted passwords in OpenERP overrides the authentication layer, and does not have this vulnerability. The 'users_ldap' module however, does not prevent it.

OpenERP Online servers have been patched as of the day of the correction.
OpenERP Enterprise subscribers have been notified as of the day of the correction.

IV. Workaround

The vulnerability can be suppressed by installing the 'base_crypt' module, because it replaces the part of the authentication layer that is vulnerable. As a consequence, all passwords will be encrypted in the database.

Systems who use LDAP authentication ('users_ldap' module) are also vulnerable, but unfortunately the 'base_crypt' module is not currently compatible with 'users_ldap'. No known workaround is available in that case, so you should upgrade to OpenERO

V. Solution

Update to OpenERP 6.0.3 if possible, otherwise apply the patch attached to this bug report.

To apply the patch, change into the root directory of the server
installation, then execute the patch command, such as:
   patch -p0 -f < /path/to/the_patch_file.patch

VI. Correction details

Here are the details of the source code revision introducing the fix:

-------------------------------------------------------------
revno: 3414
revision-id: <email address hidden>
committer: Olivier Dony <email address hidden>
branch nick: 6.0
timestamp: Thu 2011-04-28 17:39:01 +0200
modified:
  bin/addons/base/res/res_user.py svn2bzr-97cf75fe6703794bb3ed13a00a5b17f0fa59d944
-------------------------------------------------------------

Related branches

lp:openobject-server/6.0
OpenERP Core Team: Pending requested
Diff: 525549 lines (+338109/-2276) (has conflicts)
150 files modified
debian/changelog (+9/-0)
debian/po/ar.po (+41/-0)
debian/po/bg.po.OTHER (+42/-0)
debian/po/ca.po.OTHER (+43/-0)
debian/po/cs.po.OTHER (+41/-0)
debian/po/da.po (+42/-0)
debian/po/de.po.OTHER (+42/-0)
debian/po/el.po.OTHER (+42/-0)
debian/po/en_GB.po.OTHER (+42/-0)
debian/po/es.po.OTHER (+43/-0)
debian/po/es_CL.po.OTHER (+42/-0)
debian/po/es_EC.po.OTHER (+42/-0)
debian/po/fa.po.OTHER (+41/-0)
debian/po/fi.po.OTHER (+41/-0)
debian/po/fr.po.OTHER (+41/-0)
debian/po/gl.po.OTHER (+41/-0)
debian/po/he.po.OTHER (+39/-0)
debian/po/hr.po.OTHER (+42/-0)
debian/po/hu.po.OTHER (+42/-0)
debian/po/is.po (+41/-0)
debian/po/it.po.OTHER (+41/-0)
debian/po/ja.po.OTHER (+39/-0)
debian/po/ko.po.OTHER (+40/-0)
debian/po/lv.po.OTHER (+39/-0)
debian/po/mk.po (+42/-0)
debian/po/mn.po.OTHER (+41/-0)
debian/po/nb.po.OTHER (+41/-0)
debian/po/nl.po.OTHER (+42/-0)
debian/po/pl.po.OTHER (+41/-0)
debian/po/pt.po.OTHER (+41/-0)
debian/po/pt_BR.po.OTHER (+42/-0)
debian/po/ro.po.OTHER (+41/-0)
debian/po/ru.po.OTHER (+42/-0)
debian/po/sk.po.OTHER (+42/-0)
debian/po/sl.po (+41/-0)
debian/po/sq.po.OTHER (+42/-0)
debian/po/sr.po.OTHER (+41/-0)
debian/po/sv.po.OTHER (+41/-0)
debian/po/tr.po.OTHER (+41/-0)
debian/po/uk.po.OTHER (+42/-0)
debian/po/vi.po.OTHER (+42/-0)
debian/po/zh_CN.po.OTHER (+38/-0)
debian/po/zh_TW.po.OTHER (+40/-0)
history/Changelog (+619/-0)
openerp/addons/base/base_data.xml (+626/-0)
openerp/addons/base/i18n/ab.po (+9239/-0)
openerp/addons/base/i18n/af.po (+1614/-21)
openerp/addons/base/i18n/am.po (+1705/-20)
openerp/addons/base/i18n/ar.po (+5333/-88)
openerp/addons/base/i18n/bg.po (+1583/-18)
openerp/addons/base/i18n/bn.po (+9239/-0)
openerp/addons/base/i18n/bs.po (+4580/-91)
openerp/addons/base/i18n/ca.po (+1635/-18)
openerp/addons/base/i18n/cs.po (+3166/-40)
openerp/addons/base/i18n/da.po (+3006/-47)
openerp/addons/base/i18n/de.po (+3215/-49)
openerp/addons/base/i18n/el.po (+1565/-18)
openerp/addons/base/i18n/en_GB.po (+2725/-30)
openerp/addons/base/i18n/es.po (+1776/-19)
openerp/addons/base/i18n/es_AR.po (+6236/-119)
openerp/addons/base/i18n/es_BO.po (+9239/-0)
openerp/addons/base/i18n/es_CL.po (+2062/-27)
openerp/addons/base/i18n/es_CR.po (+9597/-0)
openerp/addons/base/i18n/es_DO.po (+9487/-0)
openerp/addons/base/i18n/es_EC.po (+1678/-18)
openerp/addons/base/i18n/es_HN.po (+9295/-0)
openerp/addons/base/i18n/es_MX.po (+9246/-0)
openerp/addons/base/i18n/es_PA.po (+9295/-0)
openerp/addons/base/i18n/es_PE.po (+9239/-0)
openerp/addons/base/i18n/es_VE.po (+9251/-0)
openerp/addons/base/i18n/et.po (+2156/-29)
openerp/addons/base/i18n/eu.po (+1550/-18)
openerp/addons/base/i18n/fa.po (+3255/-65)
openerp/addons/base/i18n/fa_AF.po (+1550/-18)
openerp/addons/base/i18n/fi.po (+2186/-28)
openerp/addons/base/i18n/fr.po (+2078/-26)
openerp/addons/base/i18n/fr_CA.po (+9248/-0)
openerp/addons/base/i18n/gl.po (+2583/-37)
openerp/addons/base/i18n/gu.po (+9292/-0)
openerp/addons/base/i18n/he.po (+2211/-32)
openerp/addons/base/i18n/hi.po (+9239/-0)
openerp/addons/base/i18n/hr.po (+1946/-23)
openerp/addons/base/i18n/hu.po (+4826/-40)
openerp/addons/base/i18n/hy.po (+2685/-33)
openerp/addons/base/i18n/id.po (+1624/-20)
openerp/addons/base/i18n/is.po (+2573/-28)
openerp/addons/base/i18n/it.po (+1692/-22)
openerp/addons/base/i18n/ja.po (+5598/-101)
openerp/addons/base/i18n/ka.po (+9505/-0)
openerp/addons/base/i18n/kab.po (+9300/-0)
openerp/addons/base/i18n/kk.po (+9239/-0)
openerp/addons/base/i18n/ko.po (+5358/-98)
openerp/addons/base/i18n/lt.po (+2721/-47)
openerp/addons/base/i18n/lv.po (+2192/-30)
openerp/addons/base/i18n/mk.po (+4789/-83)
openerp/addons/base/i18n/mn.po (+2681/-38)
openerp/addons/base/i18n/nb.po (+1869/-9)
openerp/addons/base/i18n/nl.po (+2324/-30)
openerp/addons/base/i18n/nl_BE.po (+1554/-18)
openerp/addons/base/i18n/pl.po (+3247/-37)
openerp/addons/base/i18n/pt.po (+4373/-74)
openerp/addons/base/i18n/pt_BR.po (+2728/-33)
openerp/addons/base/i18n/ro.po (+5276/-71)
openerp/addons/base/i18n/ru.po (+1699/-18)
openerp/addons/base/i18n/sk.po (+1599/-18)
openerp/addons/base/i18n/sl.po (+4980/-100)
openerp/addons/base/i18n/sq.po (+1550/-18)
openerp/addons/base/i18n/sr.po (+1570/-18)
openerp/addons/base/i18n/sr@latin.po (+5821/-114)
openerp/addons/base/i18n/sv.po (+1908/-25)
openerp/addons/base/i18n/ta.po (+9295/-0)
openerp/addons/base/i18n/th.po (+3948/-67)
openerp/addons/base/i18n/tlh.po (+2209/-19)
openerp/addons/base/i18n/tr.po (+2519/-35)
openerp/addons/base/i18n/uk.po (+1630/-21)
openerp/addons/base/i18n/ur.po.OTHER (+9239/-0)
openerp/addons/base/i18n/vi.po (+2458/-43)
openerp/addons/base/i18n/zh_CN.po (+1903/-22)
openerp/addons/base/i18n/zh_HK.po (+9239/-0)
openerp/addons/base/i18n/zh_TW.po (+2239/-25)
openerp/addons/base/ir/ir_actions.py (+5/-0)
openerp/addons/base/ir/ir_filters.py (+7/-0)
openerp/addons/base/ir/ir_model.py (+17/-0)
openerp/addons/base/ir/ir_rule.py (+18/-0)
openerp/addons/base/ir/ir_values.py (+136/-0)
openerp/addons/base/publisher_warranty/publisher_warranty.py.OTHER (+362/-0)
openerp/addons/base/report/corporate_sxw_header.xml (+20/-2)
openerp/addons/base/res/res_config.py (+35/-0)
openerp/addons/base/res/res_currency.py (+32/-1)
openerp/addons/base/res/res_log.py.OTHER (+96/-0)
openerp/addons/base/res/res_partner.py (+217/-0)
openerp/addons/base/res/res_partner_report_address.xml (+14/-0)
openerp/addons/base/res/res_partner_view.xml (+5/-0)
openerp/addons/base/res/res_users.py (+56/-1)
openerp/addons/base/tests/test_osv_expression.yml (+17/-0)
openerp/modules/loading.py (+13/-0)
openerp/osv/expression.py (+121/-0)
openerp/osv/fields.py (+69/-0)
openerp/osv/orm.py (+797/-16)
openerp/osv/osv.py (+394/-0)
openerp/release.py (+6/-0)
openerp/report/interface.py (+8/-0)
openerp/report/printscreen/ps_list.py (+11/-0)
openerp/report/render/rml2pdf/trml2pdf.py (+20/-0)
openerp/report/report_sxw.py (+10/-0)
openerp/sql_db.py (+17/-0)
openerp/tools/convert.py (+18/-0)
openerp/tools/misc.py (+251/-1)
openerp/tools/safe_eval.py (+18/-1)
openerp/tools/translate.py (+73/-0)
Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :
Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

If you've updated to 6.0.3 and still see the security notification in your OpenERP home screen, you can remove it by logging in as an administrator, going to Administration>Reporting>Audit>Client Logs, press "Clear" to reset the filters, and then delete the related system message.

visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.