[FG-VD-16-011] Openstack Logging DoS Vulnerability Notification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Reported by private mail:
Dear Openstack,
The following information pertains to information discovered by Fortinet's
FortiGuard Labs. It has been determined that a vulnerability exists in
Openstack. To streamline the disclosure process, we have created a
preliminary advisory which you can find below. This upcoming advisory is
purely intended as a reference, and does not contain sensitive information
such as proof of concept code.
As a mature corporation involved in security research, we strive to
responsibly disclose vulnerability information. We will not post an advisory
until we determine it is appropriate to do so in co-ordination with the
vendor unless a resolution cannot be reached. We will not disclose full
proof of concept, only details relevant to the advisory.
We look forward to working closely with you to resolve this issue, and
kindly ask for your co-operation during this time. Please let us know if you
have any further questions, and we will promptly respond to address any
issues.
Type of Vulnerability & Repercussions:
DoS
Affected Software:
Ubuntu 14.04.3 with latest repository installed
# apt-get install software-
# add-apt-repository cloud-archive:
Upcoming Advisory Reference:
http://
Credits:
This vulnerability was discovered by Fortinet's FortiGuard Labs.
Proof of Concept/How to Reproduce:
The vulnerability exists in Openstack server when dealing with many HTTP GET requests in a single connection. Please check PoC glance_
The vulnerability has high impact because it consumes the log space via a single connection. As we know, Apache also records full URLs in log file, but in order to consume its space, hundreds or thousands connections with long URL should be created. This behavour is easily detected and prevented. But in this PoC, it only needs one connection to server.
The attack doesn't need authentication.
Additional Information:
Extract from glance_
GET /v2/images/
description: | updated |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Private Security → Public |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
I fail to see why a single connection is more difficult to detect compared to multiple connection... This seems to be a class B2 type of bug according to VMT taxonomy ( https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy ), the bad design being the lack of rate-limiting.