Bug 2393958 (CVE-2025-59089)

Summary: CVE-2025-59089 python-kdcproxy: Remote DoS via unbounded TCP upstream buffering
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2414552, 2414553    
Bug Blocks:    
Deadline: 2025-11-12   

Description Pedro Sampaio 2025-09-08 21:41:36 UTC 
HASH(0x5604d82f1d08)
Comment 2 errata-xmlrpc 2025-11-12 15:22:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:21141 https://access.redhat.com/errata/RHSA-2025:21141
Comment 3 errata-xmlrpc 2025-11-12 15:22:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21142 https://access.redhat.com/errata/RHSA-2025:21142
Comment 4 errata-xmlrpc 2025-11-12 16:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21139 https://access.redhat.com/errata/RHSA-2025:21139
Comment 5 errata-xmlrpc 2025-11-12 16:27:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21138 https://access.redhat.com/errata/RHSA-2025:21138
Comment 6 errata-xmlrpc 2025-11-12 17:45:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:21140 https://access.redhat.com/errata/RHSA-2025:21140