Authentication is not checked before sending potentially large request bodies

I agree that public glance-api servers present a unique challenge here. Not totally convinced we can address that as a security fix though -- it might be OSSN territory...

We should discuss on the private bug how we would fix that first, and then decide in which bucket it falls.

Adding Keystone and Glance PTLs to discuss this further

I'm not clear on the specifics of WSGI here, but if it's possible to read request headers before the entire chunked request is sent (I'd bet someone who works on glance would know better than I), then a fix should be possible in keystoneclient.middleware.auth_token. That would also be dependent on auth_token appearing first in the pipeline (or at least nothing attempting to read the request body first, etc).

markwash, any comment ?

Fantastic detective work, Alex!

It looks like there are few if any barriers to making this work in python-keystoneclient and in glance. The only middleware ahead of authentication in the chain in glance is version negotiation, which seems to only care about path info and headers.

I'm actually somewhat surprised that this behavior occurs, at all, however. So I think some more research is going to be necessary, to see how far we get in the code before we start waiting on the whole request body.

This is very much like "HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS" OSSN -- we need to accept data so we are vulnerable to classic, basic DoS techniques.

Let me CC Rob Clark from he OSSG for more input on the "flawed by design vs. security bug" debate.

We're probably also susceptible to slowloris attacks for the same reason -- waiting on complete request bodies.

  http://en.wikipedia.org/wiki/Slowloris

Issue independently reported by Harri Hämäläinen in bug 1217857

So the major issue here that I think (iirc) differentiates this from similar issues in the past is that the requests are unauthenticated and there's no elegant way to rate/size limit these unauthed requests. To that end it's somewhat different to the previous Keystone DoS issue.

Regarding slowloris, I can't see how common controls like deploying Varnish would be of any use...No obvious solution springs to mind. I suppose that the severity of the Glance API going down is less than that of say, Keystone but some deployers may have SLAs around image upload etc and this issue certainly appears to have the capability to DoS the Glance API without too much effort and in an unauthenticated way.

I don't think the fix for Keystone would work here unless you had a way to verify tokens from Apache/Nginx ( or whatever your FE proxy is) because as already pointed out in the bug report Glance needs to accept big uploads.

This feels like a real security bug to me.

Agreed... I just don't see an easy way out so this might require a specific feature to fix (a bit like the console log DoS in Nova which we had around since forever).

Any news on this issue? I'm still seeing this as a real & critical problem as unauthorized user can e.g. temporarily reserve all the disk space from glance host. With some system setups this is definitely going to cause issues with some system services which are trying to write to full disk.

@markwash: did you make progress on investigating options we have to fix this issue ?

No progress yet.

@markwash: if this is fixable (and backportable) it would be good to have an answer for the icehouse release. If it's more destructive and needs a design overhaul, it would be great to have it on the table for the Juno summit. In both cases we need to make progress on researching potential solutions for this issue now...

In case its useful for comparison Swift doesn't seem to exhibit this behaviour.

It returns a 401 without reading all the input data.

Swift seems to send a "HTTP/1.1 100 Continue" after authentication indicating that the client should start to upload data.
When auth fails it sends a 401 instead.

If the glance client included this header:

Expect: 100-continue

then you get a 401 straight away.

While not a real fix it would be very easy to put this in the glance client to at least reduce chances
of this happening by accident.

@Stuart: yes, this bug is slightly different from the Swift one, and a few details make it fall on the "vulnerable" side of the fuzzy line I mentioned there: you can trigger this without being authenticated, and it's actually hard to mitigate the issue at proxy-level (due to the nature of Glance, uploading massive images is a valid use case for /some/ users)

Also, Swift does seem to also be vulnerable to this if you remove the 'Expect: 100-continue' header.
(I entered https://bugs.launchpad.net/swift/+bug/1284669)

So we now have four bugs: 401/403 cases for both Glance and swift.

I've kept the 401/403 cases separate as a fix for one may not fix the other case (depending on how
its implemented). If that's too much of a bug proliferation we can close a couple with the caveat that
any fix should be tested for both 401 and 403 cases.

Stuart McLaren reported Swift as also affected by this:

"""
The trick here is to add the -H 'Expect:' header:

$ cat /mnt/ubuntu/dd.7000 | curl -i -X PUT -T - -H 'x-auth-token: bogus-token' https://swift.example.com:443/v1/AUTH_XXX/tmp/x -v -H 'Expect:' >/dev/null

[sends 7GB of data then returns 401]
"""

So in both cases it's an unauthenticated DoS vector, without amplification.

The main difference between Swift and Glance is that proxies may filter on request size for Swift (to match the 4Gb max request), while it's more difficult to do on Glance servers.

Given the lack of amplification and the possibility to proxy-filter on requestsize for Swift, I'd be inclined to consider the attack vector on Swift as shallow and not consider this a vulnerability there... but I could be convinced otherwise.

On the Swift side, there are two separate claims:

- Without using the Expect semantics, a client will not get a 4xx response until after the body has been transferred to the server. This makes sense and is known and expected behavior. Without using the "early response" semantics provided in the RFC (ie Expect), the client will continue to send data before looking for a response. This isn't a security issue; it's just a matter of handling inefficient clients.

- When the client has uploaded more data than is allowed in a single object, what should Swift do? Immediately terminate the connection or politely allow the client to finish? Of course, there are edge cases (eg chunked vs not chunked). This is a separate issue than when to return a response code, and it needs to be tracked and discussed independently. There is a bug at https://bugs.launchpad.net/swift/+bug/1284254 for this.

As such, I'm removing Swift from this particular bug.

Think we find a similar issue for uploading large chunks of data to Glance (to possibly an non-queued image) and the check [1] failed after a huge portion of the same has been uploaded from the client to the g-api.

P.S. Added John and Erno for any more possible insights, recommendations and reviews for the fix.

[1] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L917

I couldn't reproduce against 2014.1.3, the server immediately close the connection with a 401 without consuming much resources...

Is this bug still present ?

@glance-coresec: could you confirm the issue disappeared ?

At this point please confirm this is still the case with keystonemiddleware. the middleware provided in keystoneclient has not been the focus of delvelopment (and in fact is it hardly tested at this point since everything has moved over to the modules provided in keystonemiddleware package).

I'm marking this as invalid against keystoneclient and marking it as incomplete against keystonemiddleware with the expectation that if it is still occuring the glance-coresec or VMT team will update the bug for keystonemiddleware.

In addition to my last comment, glance should be using keystonemiddleware as of Juno

This bugs does not seems to affect any supported stable release (>= Icehouse).

Does someone have an objection if we open this bug and mark it as a won't fix ?

Tristan, I think that would be acceptable.

I can double check on my environment today and get back to you. Please feel free to open this tomorrow otherwise.

Confirmed, this is not an issue. Please feel free to open it. Thanks again.

Alright, it's time to close this old bug. Nikhil, you might want to close the Glance task too.