Difference between revisions of "OSSN/OSSN-0008"

Revision as of 22:17, 7 March 2014

DoS style attack on noVNC server can lead to service interruption or disruption

Summary

There is currently no limitation on the number of VNC sessions that can be established for a single user's VNC token. This enables one to cause a Denial of Service (DoS) style attack by establishing many VNC sessions against a single instance through a noVNC proxy. This can cause timeouts for other users who are trying to access the same instance through VNC.

Affected Services / Software

Horizon (VNC Console through browser), Nova (NoVNC proxy), Grizzly

Discussion

NoVNC Proxy is explained well here.

Once a user gets a token to access a VM's VNC console, there is no restriction on the number of times the user can try connecting to the VNC console using the same token. If multiple connection requests are made, any subsequent request could timeout. This could impact users already connected to the VNC sessions, or other users trying to make a new connection. This could also impact overall responsiveness of other nova services running on the noVNc host.

Thus, a user could make the noVNC proxy endpoint not responsive or reachable, thereby resulting in a DoS attack. However, it is to be noted there is no amplification effect.

Recommended Actions

For current stable releases (Grizzly), users need to workaround this vulnerability by using rate-limiting proxies to cover access to NoVNC hosts. Rate-limiting is a common mechanism to prevent DoS/ Brute-Force attacks. You can find more discussion on rate-limiting around OpenStack Networking Best practices here.

Contacts / References

• This OSSN : https://bugs.launchpad.net/ossn/+bug/1227575
• Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1227575
• OpenStack Security ML : openstack-security@lists.openstack.org
• OpenStack Security Group : https://launchpad.net/~openstack-ossg