Bug 2393955 (CVE-2025-59088)

Summary: CVE-2025-59088 python-kdcproxy: Unauthenticated SSRF via Realm‑Controlled DNS SRV
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2414550, 2414551    
Bug Blocks:    
Deadline: 2025-11-12   

Description OSIDB Bzimport 2025-09-08 21:33:30 UTC 
An unauthenticated client can control which host:port the proxy connects to by choosing a realm whose DNS publishes SRV records, leading to unbounded SRV auto discovery being used to make server-side connections across a trust boundary (including localhost/RFC1918) with no port/address policy and no validation of upstream responses, resulting in SSRF (CWE-918), data exfiltration, and origin-cloaked egress.
Comment 3 errata-xmlrpc 2025-11-12 15:22:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:21141 https://access.redhat.com/errata/RHSA-2025:21141
Comment 4 errata-xmlrpc 2025-11-12 15:22:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21142 https://access.redhat.com/errata/RHSA-2025:21142
Comment 5 errata-xmlrpc 2025-11-12 16:14:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21139 https://access.redhat.com/errata/RHSA-2025:21139
Comment 6 errata-xmlrpc 2025-11-12 16:27:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21138 https://access.redhat.com/errata/RHSA-2025:21138
Comment 7 errata-xmlrpc 2025-11-12 17:45:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:21140 https://access.redhat.com/errata/RHSA-2025:21140
Comment 8 errata-xmlrpc 2025-11-17 06:14:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:21448 https://access.redhat.com/errata/RHSA-2025:21448