Add OSSN-0008 - DoS attack on noVNC/SPICE console due to lack of limiting
This adds OSSN-0008, which covers an issue related to the ability for a user to exhaust the resources on a noVNC or SPICE console host resulting in a DoS condition.
This commit is contained in:
Nathan Kinder
parent
ce768e0d54
commit
732ab7bec2
49
notes/OSSN-0008
Normal file
49
notes/OSSN-0008
Normal file
@ -0,0 +1,49 @@
|
||||
DoS style attack on noVNC server can lead to service interruption or disruption
|
||||
---
|
||||
|
||||
### Summary ###
|
||||
There is currently no limit to the number of noVNC or SPICE console
|
||||
sessions that can be established by a single user. The console host has
|
||||
limited resources and an attacker launching many sessions may be able to
|
||||
exhaust the available resources, resulting in a Denial of Service (DoS)
|
||||
condition.
|
||||
|
||||
### Affected Services / Software ###
|
||||
Horizon, Nova, noVNC proxy, SPICE console, Grizzly, Havana
|
||||
|
||||
### Discussion ###
|
||||
Currently with a single user token, no restrictions are enforced on the
|
||||
number or frequency of noVNC or SPICE console sessions that may be
|
||||
established. While a user can only access their own virtual machine
|
||||
instances, resources can be exhausted on the console proxy host by
|
||||
creating an excessive number of simultaneous console sessions. This can
|
||||
result in timeouts for subsequent connection requests to instances using
|
||||
the same console proxy. Not only would this prevent the user from
|
||||
accessing their own instances, but other legitimate users would also be
|
||||
deprived of console access. Further, other services running on the
|
||||
noVNC proxy and Compute hosts may degrade in responsiveness.
|
||||
|
||||
By taking advantage of this lack of restrictions around noVNC or SPICE
|
||||
console connections, a single user could cause the console proxy
|
||||
endpoint to become unresponsive, resulting in a Denial Of Service (DoS)
|
||||
style attack. It should be noted that there is no amplification effect.
|
||||
|
||||
### Recommended Actions ###
|
||||
For current stable OpenStack releases (Grizzly, Havana), users need to
|
||||
workaround this vulnerability by using rate-limiting proxies to cover
|
||||
access to the noVNC proxy service. Rate-limiting is a common mechanism
|
||||
to prevent DoS and Brute-Force attacks.
|
||||
|
||||
For example, if you are using a proxy such as Repose, enable the rate
|
||||
limiting feature by following these steps:
|
||||
|
||||
https://repose.atlassian.net/wiki/display/REPOSE/Rate+Limiting+Filter
|
||||
|
||||
Future OpenStack releases are looking to add the ability to restrict
|
||||
noVNC and SPICE console connections.
|
||||
|
||||
### Contacts / References ###
|
||||
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0008
|
||||
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1227575
|
||||
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||
Loading…
Reference in New Issue
Block a user