Add OSSN-0008 - DoS attack on noVNC/SPICE console due to lack of limiting
This adds OSSN-0008, which covers an issue related to the ability for a user to exhaust the resources on a noVNC or SPICE console host resulting in a DoS condition.
This commit is contained in:
parent
ce768e0d54
commit
732ab7bec2
49
notes/OSSN-0008
Normal file
49
notes/OSSN-0008
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
DoS style attack on noVNC server can lead to service interruption or disruption
|
||||||
|
---
|
||||||
|
|
||||||
|
### Summary ###
|
||||||
|
There is currently no limit to the number of noVNC or SPICE console
|
||||||
|
sessions that can be established by a single user. The console host has
|
||||||
|
limited resources and an attacker launching many sessions may be able to
|
||||||
|
exhaust the available resources, resulting in a Denial of Service (DoS)
|
||||||
|
condition.
|
||||||
|
|
||||||
|
### Affected Services / Software ###
|
||||||
|
Horizon, Nova, noVNC proxy, SPICE console, Grizzly, Havana
|
||||||
|
|
||||||
|
### Discussion ###
|
||||||
|
Currently with a single user token, no restrictions are enforced on the
|
||||||
|
number or frequency of noVNC or SPICE console sessions that may be
|
||||||
|
established. While a user can only access their own virtual machine
|
||||||
|
instances, resources can be exhausted on the console proxy host by
|
||||||
|
creating an excessive number of simultaneous console sessions. This can
|
||||||
|
result in timeouts for subsequent connection requests to instances using
|
||||||
|
the same console proxy. Not only would this prevent the user from
|
||||||
|
accessing their own instances, but other legitimate users would also be
|
||||||
|
deprived of console access. Further, other services running on the
|
||||||
|
noVNC proxy and Compute hosts may degrade in responsiveness.
|
||||||
|
|
||||||
|
By taking advantage of this lack of restrictions around noVNC or SPICE
|
||||||
|
console connections, a single user could cause the console proxy
|
||||||
|
endpoint to become unresponsive, resulting in a Denial Of Service (DoS)
|
||||||
|
style attack. It should be noted that there is no amplification effect.
|
||||||
|
|
||||||
|
### Recommended Actions ###
|
||||||
|
For current stable OpenStack releases (Grizzly, Havana), users need to
|
||||||
|
workaround this vulnerability by using rate-limiting proxies to cover
|
||||||
|
access to the noVNC proxy service. Rate-limiting is a common mechanism
|
||||||
|
to prevent DoS and Brute-Force attacks.
|
||||||
|
|
||||||
|
For example, if you are using a proxy such as Repose, enable the rate
|
||||||
|
limiting feature by following these steps:
|
||||||
|
|
||||||
|
https://repose.atlassian.net/wiki/display/REPOSE/Rate+Limiting+Filter
|
||||||
|
|
||||||
|
Future OpenStack releases are looking to add the ability to restrict
|
||||||
|
noVNC and SPICE console connections.
|
||||||
|
|
||||||
|
### Contacts / References ###
|
||||||
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0008
|
||||||
|
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1227575
|
||||||
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||||
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
Loading…
Reference in New Issue
Block a user