OSSN/OSSN-0008
Contents
DoS style attack on noVNC server can lead to service interruption or disruption [WIP]
Summary
Currently, there is no limiting on the number of VNC sessions that can be created for a single user's VNC token which enables one to cause a DoS attack on noVNC browser proxy by requesting multiple server. This prevents subsequent access to VM's VNC console.
Affected Services / Software
Horizon, Nova, Grizzly
Discussion
NoVNC Proxy is explained well here.
Once a user gets token to access a VM's VNC console, there is no restriction in the number of times the user can try connecting to the VNC console using the same token. If multiple connection requests are made, any subsequent request could timeout. This could impact users already connected to the VNC sessions, or other users trying to make new connection. This could also impact overall responsiveness of other nova services running in the novnc host.
Thus, a user could make the NoVNC proxy endpoint not responsive/ reachable, thereby resulting in a DoS attack. However, it is to be noted there is no amplification effect.
Recommended Actions
Contacts / References
- This OSSN : https://bugs.launchpad.net/ossn/+bug/1227575
- Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1227575
- OpenStack Security ML : openstack-security@lists.openstack.org
- OpenStack Security Group : https://launchpad.net/~openstack-ossg