Race condition while allocating floating IPs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
I work as a penetration tester, in one of the last projects our team encountered a problem in openstack, We are not sure whether to consider this an openstack security vulnerability. Hope you could clarify things for us.
We were testing race condition vulnerabilities on resources that have a limit per project. For example floating IP number.
The idea is to make backend server recieve a lot of same requests at the same moment, and because the server has to proccess all of them simultaneously we could get a situation where the limits are not checked properly.
Sending 500 requests (each in individual thread) directly to the Neutron API for allocation floating IPs resulted in exceeding the IP limit by 4 times.
Request example:
POST /v2.0/floatingips HTTP/1.1
Host: ...
X-Auth-Token: ...
Content-Type: application/json
Content-Length: 103
{
"floatingip": {
}
}
Is it a known openstack behavior or is it more like a hardware problem?
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.