Jump to: navigation, search

Difference between revisions of "OSSN/OSSN-0008"

(Affected Services / Software)
(Summary)
Line 3: Line 3:
  
 
=== Summary ===
 
=== Summary ===
There is currently no limit on the number of noVNC/SPICE sessions that can be established against a single user token. This enables launching a Denial of Service (DoS) style attack by establishing many console sessions against a single virtual machine instance through the console proxy. This can cause instance access timeouts and general service response degradation on the console host.
+
There is currently no limit on the number of noVNC or SPICE sessions that can be established against a single user token. This enables launching a Denial of Service (DoS) style attack by establishing many console sessions against a single virtual machine instance through the console proxy. This can cause instance access timeouts and general service response degradation on the console host.
  
 
=== Affected Services / Software ===
 
=== Affected Services / Software ===

Revision as of 03:04, 8 March 2014

DoS style attack on noVNC server can lead to service interruption or disruption

Summary

There is currently no limit on the number of noVNC or SPICE sessions that can be established against a single user token. This enables launching a Denial of Service (DoS) style attack by establishing many console sessions against a single virtual machine instance through the console proxy. This can cause instance access timeouts and general service response degradation on the console host.

Affected Services / Software

Horizon (VNC Console through browser), Nova (noVNC proxy), Grizzly, Havana

Discussion

Currently with a single user token, no restrictions are enforced on the number of noVNC or SPICE console sessions that may be established to the user's virtual machine instance (going forward referred to as instance). Nor is there any restriction on the frequency of access to same. While an user can only access their own virtual machines, by creating an excessive number of simultaneous console sessions, resources can be exhausted on the console proxy host, resulting in subsequent connection requests to instances on the same host getting timed-out. Not only would this prevent the user from accessing their own instance, but other legitimate users would also be deprived access. Further, other Nova services running on the console proxy host degrade in responsiveness.

By taking advantage of this lack of restriction on the number of noVNC/SPICE console connections per user token, a single user could cause the console proxy endpoint to become unresponsive, resulting in a Denial Of Service (DoS) attack. It should be noted that there is no amplification effect.

Recommended Actions

For current stable releases (Grizzly, Havana), users need to workaround this vulnerability by using rate-limiting proxies to cover access to noVNC hosts. Rate-limiting is a common mechanism to prevent DoS/ Brute-Force attacks.

For example, if you are using a proxy such as Repose, enable the rate limiting feature by following these steps. Additional information on rate limiting is available in the OpenStack Security Guide at rate-limiting.

Contacts / References