librelist archives

« back to archive

Fwd: DoS via SocketServer

Fwd: DoS via SocketServer

From:
Gregory Disney
Date:
2014-09-02 @ 20:42
Hey,
If a SYN flood attack happens, the socket never actually flushes the
connection. Which causes a DoS, method I tested this was I set a flask then
ran slowloris against the flask open port, within a few seconds flask
starts dumping socket server errors and the whole service goes down. This
seems to be a critical issue.

Thanks,
-Greg

Re: [flask] Fwd: DoS via SocketServer

From:
Daniel Neuhäuser
Date:
2014-09-02 @ 21:26
Well, you shouldn't use the development server for production and not just
because we feel like advising people not to. This merely adds to the list 
of reasons. 

In other words I don't see a critical issue here at all.

Re: [flask] Fwd: DoS via SocketServer

From:
Gregory Disney
Date:
2014-09-05 @ 22:23
Last time I checked deployment environment is not on the CVSS scoring
system. Either way there is a vulnerability, so let's discuss mitigation.
Thanks,
-Greg


On Tue, Sep 2, 2014 at 2:26 PM, Daniel Neuhäuser <ich@danielneuhaeuser.de>
wrote:

> Well, you shouldn't use the development server for production and not just
> because we feel like advising people not to. This merely adds to the list
> of reasons.
>
> In other words I don't see a critical issue here at all.
>

Re: [flask] Fwd: DoS via SocketServer

From:
Armin Ronacher
Date:
2014-09-07 @ 11:21
Hi,

On 06/09/14 00:23, Gregory Disney wrote:
> Last time I checked deployment environment is not on the CVSS scoring
> system. Either way there is a vulnerability, so let's discuss mitigation.
If the documentation does not make it clear that the development server 
should not be used for anything other than development than we will fix 
it.  However it has been routinely pointed out that you must not use the 
development server for anything other than development.

We do not have the resources (and we do not believe it's in the best 
interest of us) to maintain a production grade HTTP server.  The sole 
purpose of the builtin one is a simple development experience.

Can you explain what exactly you mean by "deployment environment is not 
on the CVSS scoring system".


Regards,
Armin

Re: [flask] Fwd: DoS via SocketServer

From:
Matthias Urlichs
Date:
2014-09-07 @ 14:47
Hi,

Armin Ronacher:
> We do not have the resources (and we do not believe it's in the best 
> interest of us) to maintain a production grade HTTP server.

I'd re-word that a bit more strongly:
We do believe that it's _not_ in our best interest to maintain (yet
another) production-grade HTTP server, given the fact that there already
are quite a few of them available.

-- 
-- Matthias Urlichs

Re: [flask] Fwd: DoS via SocketServer

From:
Gregory Disney
Date:
2014-09-07 @ 18:40
Calculate the risk for your self,
http://nvd.nist.gov/cvss.cfm?calculator&version=2. No where are points
dropped because environment is development versus production. It's fine,
it's is a do not fix on your half. I will have to file a CVE against Flask
though to alert developers using Flask of this vulnerability. If you wish
to work on a mitigation, we can hold off on the CVE till a mitigation is
found.

On Sun, Sep 7, 2014 at 7:47 AM, Matthias Urlichs <matthias@urlichs.de>
wrote:

> Hi,
>
> Armin Ronacher:
> > We do not have the resources (and we do not believe it's in the best
> > interest of us) to maintain a production grade HTTP server.
>
> I'd re-word that a bit more strongly:
> We do believe that it's _not_ in our best interest to maintain (yet
> another) production-grade HTTP server, given the fact that there already
> are quite a few of them available.
>
> --
> -- Matthias Urlichs
>

Re: [flask] Fwd: DoS via SocketServer

From:
Gregory Disney
Date:
2014-09-07 @ 18:44
Here's the risk I calculated to the CVSS, this is a pretty common score for
DoS attacks. This is based off the CIA triad, since a DoS attack
compromises Integrity and Accessibility, they usually get pretty high up
there score wise.
CVSS Base Score
9.4
Impact Subscore
9.2
Exploitability Subscore
10
CVSS Temporal Score
9.4
CVSS Environmental Score
10
Modified Impact Subscore
10
Overall CVSS Score
10
Show Equation <http://nvd.nist.gov/cvss.cfm?calculator&version=2#score>

On Sun, Sep 7, 2014 at 11:40 AM, Gregory Disney <gregory.disney@owasp.org>
wrote:

> Calculate the risk for your self,
> http://nvd.nist.gov/cvss.cfm?calculator&version=2. No where are points
> dropped because environment is development versus production. It's fine,
> it's is a do not fix on your half. I will have to file a CVE against Flask
> though to alert developers using Flask of this vulnerability. If you wish
> to work on a mitigation, we can hold off on the CVE till a mitigation is
> found.
>
> On Sun, Sep 7, 2014 at 7:47 AM, Matthias Urlichs <matthias@urlichs.de>
> wrote:
>
>> Hi,
>>
>> Armin Ronacher:
>> > We do not have the resources (and we do not believe it's in the best
>> > interest of us) to maintain a production grade HTTP server.
>>
>> I'd re-word that a bit more strongly:
>> We do believe that it's _not_ in our best interest to maintain (yet
>> another) production-grade HTTP server, given the fact that there already
>> are quite a few of them available.
>>
>> --
>> -- Matthias Urlichs
>>
>
>

Re: [flask] Fwd: DoS via SocketServer

From:
Paulo Bu
Date:
2014-09-08 @ 06:03
George, I think you don’t get the point here. Everyone understands that 
Flask development server is very vulnerable, the thing is, it doesn’t 
matter. The first thing you read when you start developing with Flask 
(also Django, Rails, etc, etc) is that the server they provide IS JUST FOR
DEVELOPMENT. They said it out loud. You’re suppose to deploy your app with
well know production ready servers like Apache, Nginx, etc.

Filing a CVE against Flask “just to tell people” is pointless, because the
Flask Docs itself are telling people not to use the server for production 
environment. And believe me, people that are indeed using it for 
production environment are way more likely to read the Flask documentation
than a CVE report… Also, you don’t need clever tricks like SYN flood or 
anything like it to DoS Flask server, since it is by default a single 
threaded server, you will only need 3 or 4 clients requesting concurrently
to bring it down, not anything fancy.

On the other side, I think you made your point. I’ve seen that Flask 
developers are currently putting some effort on the documentation to make 
it “CLEARER THAN WATER” that Flask server is not intended for production.

Kind regards,
Paulo Bu
Software developer at TMG



On 07 Sep 2014, at 20:44, Gregory Disney 
<gregory.disney@owasp.org<mailto:gregory.disney@owasp.org>> wrote:

Here's the risk I calculated to the CVSS, this is a pretty common score 
for DoS attacks. This is based off the CIA triad, since a DoS attack 
compromises Integrity and Accessibility, they usually get pretty high up 
there score wise.
CVSS Base Score
9.4
Impact Subscore
9.2
Exploitability Subscore
10
CVSS Temporal Score
9.4
CVSS Environmental Score
10
Modified Impact Subscore
10
Overall CVSS Score
10
Show Equation<http://nvd.nist.gov/cvss.cfm?calculator&version=2#score>

On Sun, Sep 7, 2014 at 11:40 AM, Gregory Disney 
<gregory.disney@owasp.org<mailto:gregory.disney@owasp.org>> wrote:
Calculate the risk for your self, 
http://nvd.nist.gov/cvss.cfm?calculator&version=2. No where are points 
dropped because environment is development versus production. It's fine, 
it's is a do not fix on your half. I will have to file a CVE again st 
Flask though to alert developers using Flask of this vulnerability. If you
wish to work on a mitigation, we can hold off on the CVE till a mitigation
is found.

On Sun, Sep 7, 2014 at 7:47 AM, Matthias Urlichs 
<matthias@urlichs.de<mailto:matthias@urlichs.de>> wrote:
Hi,

Armin Ronacher:
> We do not have the resources (and we do not believe it's in the best
> interest of us) to maintain a production grade HTTP server.

I'd re-word that a bit more strongly:
We do believe that it's _not_ in our best interest to maintain (yet
another) production-grade HTTP server, given the fact that there already
are quite a few of them available.

--
-- Matthias Urlichs



De informatie in dit e-mailbericht en eventuele bijlagen is vertrouwelijk 
en is alleen bestemd voor de beoogde ontvanger(s). Indien u dit bericht 
ten onrechte heeft ontvangen, wordt u verzocht de verzender daarvan in 
kennis te stellen en het bericht te vernietigen. Het is niet toegestaan de
hierin opgenomen informatie op welke wijze dan ook te gebruiken of 
openbaar te maken. The information contained in this e-mail, including 
possible attachments, is confidential and is solely for the use of the 
intended recipient(s). Should you have received this e-mail 
unintentionally you are then requested to inform the sender and to destroy
the message.It is prohibited to use or disclose the information this 
message contains in whatsoever way.