[
https://issues.apache.org/jira/browse/CASSANDRA-21231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Miklosovic updated CASSANDRA-21231:
------------------------------------------
Resolution: Duplicate
Status: Resolved (was: Triage Needed)
> Authenticated DoS via `CREATE ROLE ... WITH HASHED PASSWORD`
> ------------------------------------------------------------
>
> Key: CASSANDRA-21231
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21231
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Feature/Authorization, Feature/Rate Limiting
> Reporter: Cyl
> Priority: Normal
> Labels: dos, performance, security
>
> h2. Vulnerability Description
> *Name*: Authenticated DoS via {{CREATE ROLE ... WITH HASHED PASSWORD}}
> *Overview*:
> Similar to the {{ALTER ROLE}} vulnerability, the {{CREATE ROLE}} statement
> also supports the {{HASHED PASSWORD}} option. When a user with {{CREATE}}
> permission (on {{ALL ROLES}} or {{RoleResource.root()}}) executes a {{CREATE
> ROLE}} statement with a high-cost bcrypt hash, the server performs the
> validation synchronously on the request thread.
> This allows an attacker with role creation privileges to exhaust the request
> executor thread pool by sending multiple concurrent {{CREATE ROLE}} requests
> with high-cost hashes, leading to a denial of service.
> *Affected Configurations*:
> * Clusters running {{PasswordAuthenticator}}.
> * Users with {{CREATE}} permission on roles.
> *Impact*:
> * Complete denial of service.
> * The server becomes unresponsive to all CQL requests.
> h2. Proof-of-Concept
> The file {{poc_create_role_dos.py}} demonstrates the attack:
> # Start a Cassandra instance.
> # Create a regular user {{attacker_creator}} and grant {{CREATE ON ALL
> ROLES}} to them.
> # Launch 50 concurrent threads that run {{CREATE ROLE <random_name> WITH
> HASHED PASSWORD '<high_cost_hash>'}}.
> # Monitor the latency of a simple {{SELECT now()}} query.
> *Observed Output*:
> {code}
> [Victim] Query latency: 0.1089s
> ...
> [Victim] Query failed/timed out: ...
> {code}
> The server becomes unresponsive.
> h2. Problematic Code Reference
> In {{src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java}}:
> {code:java}
> public void validate(ClientState state) throws RequestValidationException
> {
> opts.validate(); // Calls RoleOptions.validate() -> BCrypt.checkpw
> // ...
> }
> {code}
> h2. Recommended Fixes
> The fix is the same as for {{ALTER ROLE}}:
> # *Limit Cost Factor*: Enforce a maximum allowed cost factor for
> {{HASHED_PASSWORD}} in {{RoleOptions.validate()}}.
> # *Offload Validation*: Perform the validation on a separate thread pool.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
