Difference between revisions of "OSSN/OSSN-0008"
(→Summary) |
(→Discussion) |
||
Line 9: | Line 9: | ||
=== Discussion === | === Discussion === | ||
− | Currently with a single user token, no restrictions are enforced on the number of noVNC or SPICE console sessions that may be established | + | Currently with a single user token, no restrictions are enforced on the number or frequency of noVNC or SPICE console sessions that may be established. While a user can only access their own virtual machines instances, resources can be exhausted on the console proxy host by creating an excessive number of simultaneous console sessions. This can result in timeouts for subsequent connection requests to instances using the same console proxy. Not only would this prevent the user from accessing their own instances, but other legitimate users would also be deprived of console access. Further, other Nova services running on the console proxy host degrade in responsiveness. |
− | By taking advantage of | + | By taking advantage of these lack of restrictions around noVNC or SPICE console connections, a single user could cause the console proxy endpoint to become unresponsive, resulting in a Denial Of Service (DoS) style attack. It should be noted that there is no amplification effect. |
=== Recommended Actions === | === Recommended Actions === |
Revision as of 03:51, 8 March 2014
DoS style attack on noVNC server can lead to service interruption or disruption
Summary
There is currently no limit on the number of noVNC or SPICE console sessions that can be established against a single user token. This enables launching a Denial of Service (DoS) style attack by establishing many console sessions against a single virtual machine instance through the console proxy. This can cause instance access timeouts and general service response degradation on the console host.
Affected Services / Software
Horizon (VNC Console through browser), Nova (noVNC proxy), Grizzly, Havana
Discussion
Currently with a single user token, no restrictions are enforced on the number or frequency of noVNC or SPICE console sessions that may be established. While a user can only access their own virtual machines instances, resources can be exhausted on the console proxy host by creating an excessive number of simultaneous console sessions. This can result in timeouts for subsequent connection requests to instances using the same console proxy. Not only would this prevent the user from accessing their own instances, but other legitimate users would also be deprived of console access. Further, other Nova services running on the console proxy host degrade in responsiveness.
By taking advantage of these lack of restrictions around noVNC or SPICE console connections, a single user could cause the console proxy endpoint to become unresponsive, resulting in a Denial Of Service (DoS) style attack. It should be noted that there is no amplification effect.
Recommended Actions
For current stable releases (Grizzly, Havana), users need to workaround this vulnerability by using rate-limiting proxies to cover access to noVNC hosts. Rate-limiting is a common mechanism to prevent DoS/ Brute-Force attacks.
For example, if you are using a proxy such as Repose, enable the rate limiting feature by following these steps. Additional information on rate limiting is available in the OpenStack Security Guide at rate-limiting.
Contacts / References
- This OSSN : https://bugs.launchpad.net/ossn/+bug/1227575
- Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1227575
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg