[
https://issues.apache.org/jira/browse/CASSANDRA-21231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cyl updated CASSANDRA-21231:
----------------------------
Description:
h2. Vulnerability Description
*Name*: Authenticated DoS via {{CREATE ROLE ... WITH HASHED PASSWORD}}
*Overview*:
Similar to the {{ALTER ROLE}} vulnerability, the {{CREATE ROLE}} statement also
supports the {{HASHED PASSWORD}} option. When a user with {{CREATE}} permission
(on {{ALL ROLES}} or {{RoleResource.root()}}) executes a {{CREATE ROLE}}
statement with a high-cost bcrypt hash, the server performs the validation
synchronously on the request thread.
This allows an attacker with role creation privileges to exhaust the request
executor thread pool by sending multiple concurrent {{CREATE ROLE}} requests
with high-cost hashes, leading to a denial of service.
*Affected Configurations*:
* Clusters running {{PasswordAuthenticator}}.
* Users with {{CREATE}} permission on roles.
*Impact*:
* Complete denial of service.
* The server becomes unresponsive to all CQL requests.
h2. Proof-of-Concept
The file {{poc_create_role_dos.py}} demonstrates the attack:
# Start a Cassandra instance.
# Create a regular user {{attacker_creator}} and grant {{CREATE ON ALL ROLES}}
to them.
# Launch 50 concurrent threads that run {{CREATE ROLE <random_name> WITH HASHED
PASSWORD '<high_cost_hash>'}}.
# Monitor the latency of a simple {{SELECT now()}} query.
*Observed Output*:
{code}
[Victim] Query latency: 0.1089s
...
[Victim] Query failed/timed out: ...
{code}
The server becomes unresponsive.
h2. Problematic Code Reference
In {{src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java}}:
{code:java}
public void validate(ClientState state) throws RequestValidationException
{
opts.validate(); // Calls RoleOptions.validate() -> BCrypt.checkpw
// ...
}
{code}
h2. Recommended Fixes
The fix is the same as for {{ALTER ROLE}}:
# *Limit Cost Factor*: Enforce a maximum allowed cost factor for
{{HASHED_PASSWORD}} in {{RoleOptions.validate()}}.
# *Offload Validation*: Perform the validation on a separate thread pool.
was:
h2. 2. Vulnerability Description
*Name*: Authenticated DoS via {{CREATE ROLE ... WITH HASHED PASSWORD}}
*Overview*:
Similar to the {{ALTER ROLE}} vulnerability, the {{CREATE ROLE}} statement also
supports the {{HASHED PASSWORD}} option. When a user with {{CREATE}} permission
(on {{ALL ROLES}} or {{RoleResource.root()}}) executes a {{CREATE ROLE}}
statement with a high-cost bcrypt hash, the server performs the validation
synchronously on the request thread.
This allows an attacker with role creation privileges to exhaust the request
executor thread pool by sending multiple concurrent {{CREATE ROLE}} requests
with high-cost hashes, leading to a denial of service.
*Affected Configurations*:
* Clusters running {{PasswordAuthenticator}}.
* Users with {{CREATE}} permission on roles.
*Impact*:
* Complete denial of service.
* The server becomes unresponsive to all CQL requests.
h2. 2. Proof-of-Concept
The file {{poc_create_role_dos.py}} demonstrates the attack:
# Start a Cassandra instance.
# Create a regular user {{attacker_creator}} and grant {{CREATE ON ALL ROLES}}
to them.
# Launch 50 concurrent threads that run {{CREATE ROLE <random_name> WITH HASHED
PASSWORD '<high_cost_hash>'}}.
# Monitor the latency of a simple {{SELECT now()}} query.
*Observed Output*:
{code}
[Victim] Query latency: 0.1089s
...
[Victim] Query failed/timed out: ...
{code}
The server becomes unresponsive.
h2. 3. Problematic Code Reference
In {{src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java}}:
{code:java}
public void validate(ClientState state) throws RequestValidationException
{
opts.validate(); // Calls RoleOptions.validate() -> BCrypt.checkpw
// ...
}
{code}
h2. 4. Recommended Fixes
The fix is the same as for {{ALTER ROLE}}:
# *Limit Cost Factor*: Enforce a maximum allowed cost factor for
{{HASHED_PASSWORD}} in {{RoleOptions.validate()}}.
# *Offload Validation*: Perform the validation on a separate thread pool.
> Authenticated DoS via `CREATE ROLE ... WITH HASHED PASSWORD`
> ------------------------------------------------------------
>
> Key: CASSANDRA-21231
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21231
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Feature/Authorization, Feature/Rate Limiting
> Reporter: Cyl
> Priority: Normal
> Labels: dos, performance, security
>
> h2. Vulnerability Description
> *Name*: Authenticated DoS via {{CREATE ROLE ... WITH HASHED PASSWORD}}
> *Overview*:
> Similar to the {{ALTER ROLE}} vulnerability, the {{CREATE ROLE}} statement
> also supports the {{HASHED PASSWORD}} option. When a user with {{CREATE}}
> permission (on {{ALL ROLES}} or {{RoleResource.root()}}) executes a {{CREATE
> ROLE}} statement with a high-cost bcrypt hash, the server performs the
> validation synchronously on the request thread.
> This allows an attacker with role creation privileges to exhaust the request
> executor thread pool by sending multiple concurrent {{CREATE ROLE}} requests
> with high-cost hashes, leading to a denial of service.
> *Affected Configurations*:
> * Clusters running {{PasswordAuthenticator}}.
> * Users with {{CREATE}} permission on roles.
> *Impact*:
> * Complete denial of service.
> * The server becomes unresponsive to all CQL requests.
> h2. Proof-of-Concept
> The file {{poc_create_role_dos.py}} demonstrates the attack:
> # Start a Cassandra instance.
> # Create a regular user {{attacker_creator}} and grant {{CREATE ON ALL
> ROLES}} to them.
> # Launch 50 concurrent threads that run {{CREATE ROLE <random_name> WITH
> HASHED PASSWORD '<high_cost_hash>'}}.
> # Monitor the latency of a simple {{SELECT now()}} query.
> *Observed Output*:
> {code}
> [Victim] Query latency: 0.1089s
> ...
> [Victim] Query failed/timed out: ...
> {code}
> The server becomes unresponsive.
> h2. Problematic Code Reference
> In {{src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java}}:
> {code:java}
> public void validate(ClientState state) throws RequestValidationException
> {
> opts.validate(); // Calls RoleOptions.validate() -> BCrypt.checkpw
> // ...
> }
> {code}
> h2. Recommended Fixes
> The fix is the same as for {{ALTER ROLE}}:
> # *Limit Cost Factor*: Enforce a maximum allowed cost factor for
> {{HASHED_PASSWORD}} in {{RoleOptions.validate()}}.
> # *Offload Validation*: Perform the validation on a separate thread pool.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
