python-kdcproxy-1.0.0-9.el9_7
エラータID: AXSA:2025-11449:02
リリース日:
2025/12/04 Thursday - 18:51
題名:
python-kdcproxy-1.0.0-9.el9_7
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- kdcproxy には、サーバーアドレスが定義されていないレルムに
対するリクエストを受信した際、指定されたレルムに一致する DNS
ゾーン内の SRV レコードを意図せず照会してしまう問題があるため、
リモートの攻撃者 により、DNS SRV レコードを持つレルムとなるように
巧妙に細工されたリクエストの送信を介して、サーバサイドリクエスト
フォージェリ攻撃と、これによる内部ネットワークトポロジーの調査、
ポートスキャン、機密データの外部流出を可能とする脆弱性が存在します。
(CVE-2025-59088)
- kdcproxy には、TCP 接続の応答パケットのデータ長を制限していない
ことに起因して制限なくメモリおよび CPU リソースを消費してしまう問題
があるため、リモートの攻撃者により、巧妙に細工された応答パケットの
送信を介して、サービス拒否攻撃 (CPU およびメモリ枯渇) を可能とする
脆弱性が存在します。(CVE-2025-59089)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-59088
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
CVE-2025-59089
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
追加情報:
N/A
ダウンロード:
SRPMS
- python-kdcproxy-1.0.0-9.el9_7.src.rpm
MD5: 6630d91af0bf16cf9492436fb555a02f
SHA-256: 97329087da22d75028def77d8591a3091c6314586b53be0f5643186c09c05da1
Size: 48.81 kB
Asianux Server 9 for x86_64
- python3-kdcproxy-1.0.0-9.el9_7.noarch.rpm
MD5: 53361b3a73a920169e84fae263c8c284
SHA-256: 479961b27e54ca56f28468e77b354495bd642f88d91d33f4a09259954b27ca8e
Size: 44.47 kB
English