Author : Nicolas Frey
How we were able to demonstrate that 21% of online Odoo servers reachable online still use the default admin password and thus are exposed to direct risk. This can lead to data leaks, data alteration, money divert, defacement, cryptomining and possibly worst attacks.
The Author's story with Odoo
Some years ago my main activities was to integrate ERPs in SMEs. I used Odoo (former OpenERP) to help them by providing a full working software able to manage quite a lot of different things in their processes. I even got hundred of wireless devices connected to an Odoo server for real-time wine tasting contests. Odoo is a good piece of open source software provided by the Belgium Odoo SA company.
I always had in my mind that an ERP software is too critical to be directly exposed on internet and should always be protected with at least a VPN. So I was skeptical when Odoo started to offer an option allowing the user to build a website integrating the data of the ERP all in the same service/server/database. My first security concern with OpenERP was when I discovered that all users passwords was stored in cleartext in database (not even a base64 “encryption”, and it was the version 5). This engraved in my mind that this software is not security focused (that is fine when you know it), even if they improved this since.
This year a friend asked me some help with an installation of Odoo 8 on a Synology NAS. This made me realize that Odoo suddenly became an easy to install software for a lot of users. Since I redirected my career in cybersecurity some years ago, but hadn’t the opportunity to bring some solid contribution to the community, I decided to have a closer look at Odoo with the eyes of a potential attacker (but anyway this contribution remains modest). In cybersecurity, I learned that it’s always best to start with low hanging fruits, since this is often rewarding. And it was !
Our approach using shodan
Since we don’t have an internet connection that will allow us to scan the whole internet for all possible ports and find which one have an instance of Odoo running, we used the great tool shodan.io to find odoo instances, independently of the ports. This provided us a 678MB file with 42435 pairs of ip addresses and ports.
For each pair, and after some tuning based on a manual sample, we tested the exposed Odoo interfaces for information about the global admin password. For those who don’t know Odoo, admin password allows you to dump databases, restore databases and delete existing databases.
In order to stay within the limits of the law, we of course haven’t tested any real password, but instead relied on another technique that would tell us whether the password was changed or not, simply reading the warning about the unchanged default password.
This is the most interesting part. After running our script found that 7303 out of 34’473 Odoo confirmed installations where using the default password. This is more than 20% !
Always by using the Using the Odoo web interface exposed to internet and avoiding downloading any extra data or database content, we used the exposed databases names to find that most of them seems in production and used by medical devices suppliers, online shops and ... security services suppliers.
Our first reaction we expect from affected SMEs are something like : “We don’t have anything to hide, this is basically not worth the mitigation cost”. This is not our opinion. With this admin password, anyone can download the database, using information inside, but can also download the database, modify it (like changing the password), delete the original and upload the modified one.
This is a full write access to any data. Based on this, it is thus possible to delete / encrypt all data, deface the website, and for any Odoo installation processing payments (online from customers or suppliers invoices) it is possible to stealthy change destination accounts, effectively diverting money from the SMEs.
Another possible attack would be the creation of a custom scheduled task in Odoo, running on the server, and allowing a more complex attack, like cryptomining or local server takeover, with all the consequences that we can imagine.
We disclosed our findings to Odoo security team. They responded quickly and in a professionally way. They are aware of the issue and seem to have implemented a better default password management in more recent versions (we didn't test). Their main concern was about the leak of IPs addresses or PoC scripts that would ease attacks, which we won't provide anyway.
Like often in cybersecurity the result is far worst than expected. The ratio of exposed Odoo installations comparatively to the easiness of the attack (this report took more time than the short script that found the vulnerable servers and the PoC) is quite high. This seems to be an interesting direction for some malicious guys to dig in.
This leads us to warn against creating unsafe design on large-scale used systems. Like we can see there is a lot of users with older versions that will probably never update their systems or change the password until something bad happens.
We will spend more time to dig into other potential vulnerabilities in Odoo and it’s common addons and will probably come back with a more technical part 2.
Mitigation Definitely worth it !
- Find your Odoo configuration file (path and name change from version / installation, usually /etc/odoo-server.conf)
- Change admin_passwd = admin to something more relevant
- Restart your odoo server (b.e. systemctl odoo-server restart)
We suggested to Odoo that they should create a default random admin password or disable database management until the default password is changed.
Doing this research we didn’t allow me to download or alter any database that wasn’t ours. So we tested on our side all the assumptions we made, but didn’t tested the concerned IP addresses and, of course, avoided testing the deletion mechanism.
additional comment [2019, 8th of March] : During this research, we never tried to login to the website or databases and only used publicly exposed informations. No POST request or anything like that. Thanks to @DevinStroke for his advices.
During the research we encountered a lot of different versions of OpenERP/Odoo. Since we are doing this during our hobby time and wanted to keep enough time for our families and avoid this research to overflow on my worktime, we focused on a subset of versions, compatible with our script and ignored those who didn’t match. Specifically the old database management system (inherited from version 7) which is approx. 4500 instances and some unexpected behavior on the remaining instances (between 1% to 5%).
Nevertheless we think this work is globally relevant and hope it will help
companies improve their security.