Difference between revisions of "OSSN/OSSN-0008"
(→Summary) |
(→Summary) |
||
Line 3: | Line 3: | ||
=== Summary === | === Summary === | ||
− | There is currently no | + | There is currently no limit on the number of noVNC/SPICE sessions that can be established against a single user token. This enables one to cause a Denial of Service (DoS) style attack by establishing many console sessions against a single virtual machine instance through a console proxy. This can cause timeouts for the same and other users attempting to connect to the same instance and general service response degradation on the console host. |
=== Affected Services / Software === | === Affected Services / Software === |
Revision as of 01:17, 8 March 2014
DoS style attack on noVNC server can lead to service interruption or disruption
Summary
There is currently no limit on the number of noVNC/SPICE sessions that can be established against a single user token. This enables one to cause a Denial of Service (DoS) style attack by establishing many console sessions against a single virtual machine instance through a console proxy. This can cause timeouts for the same and other users attempting to connect to the same instance and general service response degradation on the console host.
Affected Services / Software
Horizon (VNC Console through browser), Nova (noVNC proxy), Grizzly & Havana
Discussion
Currently with a single user token, no restrictions are enforced on the number of noVNC or SPICE console sessions that may be established to the user's virtual machine instance (going forward referred to as instance). Nor is there any restriction on the frequency of access to same. While an user can only access their own virtual machines, by creating an excessive number of simultaneous console sessions, resources can be exhausted on the console host, resulting in subsequent connection requests to instances on the same host getting timed-out. Not only will this prevent access to the user's instance, but other legitimate users will also be deprived access to their instances. Further, responsiveness of other Nova services running on the host also degrade.
By taking advantage of this lack of restriction on the number of noVNC and SPICE console connections per user token, a single user could cause the console proxy endpoint to become unresponsive, resulting in a Denial Of Service (DoS) attack. It should be noted that there is no amplification effect.
Recommended Actions
For current stable releases (Grizzly, Havana), users need to workaround this vulnerability by using rate-limiting proxies to cover access to noVNC hosts. Rate-limiting is a common mechanism to prevent DoS/ Brute-Force attacks.
For example, if you are using a proxy such as Repose, enable the rate limiting feature by following these steps. Additional information on rate limiting is available in the OpenStack Security Guide at rate-limiting.
Contacts / References
- This OSSN : https://bugs.launchpad.net/ossn/+bug/1227575
- Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1227575
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg