[GitHub] [cloudstack] VincentHermes opened a new issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Thu, 18 Jun 2020 06:23:22 -0700 


VincentHermes opened a new issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155


   #### ISSUE TYPE
    * Bug Report
   
   #### COMPONENT NAME
    * Domain/Account Limiting
   
   #### CLOUDSTACK VERSION
    * Tested on 4.11.3 and <b>4.14</b>
   
   #### CONFIGURATION
    * Quite irrelevant, new installation also affected
   
   #### OS / ENVIRONMENT
    * CentOS7 Nodes
    * KVM
    * Ceph
    * NFS Secondary
    * Hyperconverged
   
   #### SUMMARY
    * The VM Settings Tab allows Domain Admins to set CPU and RAM Values with 
<b>no restriction</b>
   
   #### STEPS TO REPRODUCE
   -- Create a custom offering, either with or without constraints.
   -- Create a Domain with a Domain Admin User
   -- Set any Domain Limit and/or Account Limit
   -- Login as the created Domain Admin of the Testing Domain
   -- Create an Instance with the settings of your choice but use the custom 
offering and set it to anything below your Limits. At this point, setting CPU 
and RAM too high is going to fail because the Limits are taken into account.
   -- Stop the Instance after creation and go to the Settings Tab of the VM
   -- You can edit the CPU and RAM of the VM as you would expect from the 
custom offering, however you can set the VM Parameters in this tab to anything 
you want and CS is going to accept it.
   -- If your hosts can handle the new VM size, CS is going to boot the VM as 
if nothing is strange
   
   #### EXPECTED RESULTS
    * When setting the VM Parameters via settings tab, the Domain and Account 
Limits should be taken into account and the action should fail
    * Maybe at least the launch should be prevented of Domain or Account Limits 
are reached
   
   #### ACTUAL RESULTS
    * If a Domain is set to 16 CPUs, Users (Domain Admins) can effectively 
create 16 VMs with 1 CPU each and set all of them to 32 CPUs afterwards. As 
long as the Cluster can handle the Usage, you can launch all of them and work 
with them like you had 512 CPUs as your Limit.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to