Cinder

Updating any cinder quota for non-existent project works

Bug #1850273 reported by Abhishek Sharma M on 2019-10-29

This bug report is a duplicate of: Bug #1307491: quota-update should error out if input provided is non-existent tenant id. Edit Remove

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

When we try to update a cinder quota for a non-existent project, we get a 200ok response. The non-existent project doesn't get created, but am entry for this project in the quotas table of cinder is made.

PUT /volume/v3/<proj-id>/os-quota-sets/<non-existent proj-id>

Looks like project validation check is missing in the cinder quota update flow.

Due to this flaw, multiple PUT calls on fake project ids might result in filling of quota tables very fast & can be considered a type of DOS attack.

See original description

Tags:

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-10-29:

#1

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description:	updated
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2019-10-29:

#2

This has been an issue from early on, and has not been seen as a security risk. There are other ways to make calls and fill the database if trying to use that vector as a DoS attack. Is there an actual case where the quota table has been particularly exploited?

This is a duplicate bug report of a non-security one. Since that one is not marked as a security bug, I will not mark it as a duplicate until we've agreed that this does not add any additional exploitable information.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-10-29:

#3

Thanks for the report. Generally we've considered bugs allowing abusive/malicious authenticated users to generate lots of database records as security hardening opportunities, but not practical vulnerabilities unless the impact is significantly (as in orders of magnitude) greater than the impact the same user could inflict through other allowed API calls. That aside, are unprivileged users generally allowed to set quotas? If not, then there are already plenty of ways for a malicious service administrator to cause far worse denials of service; these services aren't generally designed to protect themselves against their administrators.

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2019-10-29:

#4

In addition to what Sean said, by default, the command that enables this vector is admin-only. So it's possible it could be done by a disgruntled employee, or a runaway admin script, but there's way worse stuff that either of those could do. So while it may be worth looking into, I don't think it is actually a security issue.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-10-29:

#5

Thanks for the input everyone, from the OpenStack VMT's perspective we'll treat this as a class D report (security hardening opportunity) and not need an advisory. I've ended the embargo and switched the bug to public.

https://security.openstack.org/vmt-process.html#incident-report-taxonomy

description:	updated
Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Private Security → Public
tags:	added: security

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1307491 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.