Skip to content

Fixes for CVE-2025-59088 and CVE-2025-59089 #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jrisc merged 3 commits into from
Nov 14, 2025
Merged

Fixes for CVE-2025-59088 and CVE-2025-59089 #68

jrisc merged 3 commits into from
Nov 14, 2025
+1,196 −112

Conversation

@jrisc
Copy link
Collaborator

@jrisc jrisc commented Nov 12, 2025

This PR fixes two vulnerabilities:

  • CVE-2025-59088: Server-side request forgery (SSRF) via DNS discovery
    • Possible because use of DNS SRV records to discovery KDCs was allowed by default for any requested realm
    • Now restricts DNS discovery of KDCs to realms explicitly declared in the configuration only
    • Adds support for wildcard realm sections (e.g., [*EXAMPLE.COM]) to handle realm hierarchies (like AD forests)
    • Previous unsafe behavior can be restored using the dns_realm_discovery setting
    • A warning is logged if a resolved SRV record points to a non-standard Kerberos port (can be suppressed using the silence_port_warn setting)
  • CVE-2025-59089: DoS attack via unbounded TCP buffering
    • Possible because of improper message length checks and redundant buffer exports
    • No longer accept messages longer than maximum Kerberos message length
    • Interrupts receiving when incoming message exceeds expected length
    • Export buffer only once after receiving process completed

Also remove outdated MIT license classifier, enable tests for Python 3.12 and 3.14, add missing test dependencies, and do not re-enable implicitly ignored conflicting Flake8 constraints (line breaks before AND after binary operators).

Given the fact this PR has a significant impact on how the configuration of kdcproxy works, it would probably make sense to make it part of a new release.

jrisc added 3 commits October 16, 2025 19:29
@jrisc
Fix DoS vulnerability based on unbounded TCP buffering
93ba737 
In Application.__handle_recv(), the next part of the TCP exchange is
received and queued to the io.BytesIO stream. Then, the content of the
stream was systematically exported to a buffer. However, this buffer
is only used if the data transfer is finished, causing a waste of
processing resources if the message is received in multiple parts.

On top of these unnecessary operations, this function does not handle
length limits properly: it accepts to receive chunks of data with both
an individual and total length larger than the maximum theoretical
length of a Kerberos message, and will continue to wait for data as long
as the input stream's length is not exactly the same as the one provided
in the header of the response (even if the stream is already longer than
the expected length).

If the kdcproxy service is not protected against DNS discovery abuse,
the attacker could take advantage of these problems to operate a
denial-of-service attack (CVE-2025-59089).

After this commit, kdcproxy will interrupt the receiving of a message
after it exceeds the maximum length of a Kerberos message or the length
indicated in the message header. Also it will only export the content of
the input stream to a buffer once the receiving process has ended.

Signed-off-by: Julien Rische <jrische@redhat.com>
@jrisc
Use DNS discovery for declared realms only
0254c16 
Allowing the use of DNS discovery for any requested realm (i.e. querying
SRV records from the DNS zone matching the realm name) created a
server-side request forgery vulnerability (CVE-2025-59088). An attacker
could take advantage of a DNS zone they control to have kdcproxy direct
their request to any IP addresses (including loopback and internal
network) and port, allowing network and firewall rules probing, and data
exfiltration.

This commit mitigates this risk by making the global "use_dns" parameter
apply only to realms declared in the kdcproxy configuration, and other
configurations if their modules are enabled.

To accommodate cases where realm hierarchies (like AD forests) are
proxied, support for wildcards is added for realm section names. This
can be used to have any "sub-realm" considered known, and therefore
allowed to use DNS to discover their KDCs.

The new "dns_realm_discovery" parameter can be enabled (if "use_dns" is
not globally disabled) to allow use of DNS discovery for unknown realms
too, restoring the previous unsafe behavior.

For any KDC address obtained by DNS discovery, a warning is logged if
the port is not a standard Kerberos port. This warning can be silenced
using the "silence_port_warn" configuration parameter.

Signed-off-by: Julien Rische <jrische@redhat.com>
@jrisc
Update setup.py and tox.ini
e91bdca 
Signed-off-by: Julien Rische <jrische@redhat.com>
@jrisc jrisc changed the title Fixes CVE-2025-59088 and CVE-2025-59089 Fixes for CVE-2025-59088 and CVE-2025-59089 Nov 12, 2025
simo5
simo5 approved these changes Nov 12, 2025
View reviewed changes
Copy link
Member

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jrisc jrisc merged commit 840cd83 into latchset:main Nov 14, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simo5 simo5 simo5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jrisc @simo5