Message 24653

Author
meanmicio
Date
2016-03-08.21:16:39
Message id
24653

Content

Dear all

This discussion is taking way longer that what it took me to detect the issue, create the PoC and generate the patch.... so hopefully we can finally move on to other things soon.

Cedric, I'm not talking about web applications in general. I am focused on very specific problem, in a very specific context, that I have already explained.

The current design on the get_login method has problems, and it's allowing to rapidly exhaust / consume  the system resources, because you are allowing anonymous write to the database system table, with no timeout on wrong login. 

As I said previously, the sample metrics I collected are just that, a sample. Not scientific, but enough to give you an idea of the magnitude .

For instance, with just a few parallel processes, we can easily generate 50 records / second, which accounts to 4.320.000 (over 4 million needless, hard DB operations as writes and deletes) records per day, and, in doing so, generates a very high, sustained system load. So it's not just about "filling the disc", but also about the resources consumed in doing so.

Please don't tell me that you want to mitigate this with a cron job that deletes the records... 

Nico : As we discussed yesterday, of course using ipfilter / iptables as a complement will help, as it would changing the default port, etc... but those are *additional* security measures, that are not to replace our own Tryton server design in terms of security, in a similar way that we don't rely completely on ipfilter / iptables for the right functioning of sshd.

The patch that I have attached solves the critical issue on this specific context. Of course it does not eliminate all possible DoS scenarios, but it does a pretty good job on fixing this issue.

Just apply the patch, and run the same PoC exploit scripts. Compare the system load, the responsiveness of the system before and after the patch. You will see the difference, that backups my position.

Finally, we need to deliver the solution for this issue to the Tryton and GNU Health installations. Some of these installations are mission critical (ie, deal with people health and lives) that need to be 24x7.
I would love to see it implemented in the standard Tryton server. That will be the best solution. We will always have time to improve security features for upcoming releases. We need Tryton to be a solid application from all points of view, and we will make it.

Thank you again.
History
Date User Action Args
2016-03-08 21:16:41meanmiciosetmessageid: <1457468201.95.0.803773346896.issue5375@tryton.org>
2016-03-08 21:16:41meanmiciosetrecipients: + ced, bch, yangoon, nicoe, sharkcz, smarro, ajacoutot
2016-03-08 21:16:41meanmiciolinkissue5375 messages
2016-03-08 21:16:39meanmiciocreate

Showing 10 items. Show all history (warning: this could be VERY long)