-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DoS style attack on noVNC server can lead to service interruption or disruption - ---
### Summary ### There is currently no limit to the number of noVNC or SPICE console sessions that can be established by a single user. The console host has limited resources and an attacker launching many sessions may be able to exhaust the available resources, resulting in a Denial of Service (DoS) condition. ### Affected Services / Software ### Horizon, Nova, noVNC proxy, SPICE console, Grizzly, Havana ### Discussion ### Currently with a single user token, no restrictions are enforced on the number or frequency of noVNC or SPICE console sessions that may be established. While a user can only access their own virtual machine instances, resources can be exhausted on the console proxy host by creating an excessive number of simultaneous console sessions. This can result in timeouts for subsequent connection requests to instances using the same console proxy. Not only would this prevent the user from accessing their own instances, but other legitimate users would also be deprived of console access. Further, other services running on the noVNC proxy and Compute hosts may degrade in responsiveness. By taking advantage of this lack of restrictions around noVNC or SPICE console connections, a single user could cause the console proxy endpoint to become unresponsive, resulting in a Denial Of Service (DoS) style attack. It should be noted that there is no amplification effect. ### Recommended Actions ### For current stable OpenStack releases (Grizzly, Havana), users need to workaround this vulnerability by using rate-limiting proxies to cover access to the noVNC proxy service. Rate-limiting is a common mechanism to prevent DoS and Brute-Force attacks. For example, if you are using a proxy such as Repose, enable the rate limiting feature by following these steps: https://repose.atlassian.net/wiki/display/REPOSE/Rate+Limiting+Filter Future OpenStack releases are looking to add the ability to restrict noVNC and SPICE console connections. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0008 Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1227575 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHJz3AAoJEJa+6E7Ri+EVdHUH/10DusIv3xhL9rsnxhP5vbKW tucqnh4MxaVX7ZfyKhD1aEme1IXtupbfGxOqF1Xa35PXPv/pHTDjhs3HEcnB3MVf PzAx8o3fywIxqVsTcdrweLOhZ2EirhG56WudiLOL+J5zVjfU5Cz4sZgIf3DvqRpk hpy0fWGMRExir8PgPpByTSJxuqQx1gsYeUqnvV8VknmoR1SW5Dk2RLP3cy+4aMNA qTYXug3Le71Ra4ligp/6BzA/L7+zaVBM2OFOIU2RXCt29S5zmCTI6EuPiQXPstwK /qEIPnNXwA4vY6r6iObDBa+K5CBEqMkI4rJTl1kSxksYx+g8UD6EQhlIgb51d2U= =XyEq -----END PGP SIGNATURE----- _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
