Bug 2393958 (CVE-2025-59089)

Summary: CVE-2025-59089 python-kdcproxy: Remote DoS via unbounded TCP upstream buffering
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2414552, 2414553, 2415860    
Bug Blocks:    
Deadline: 2025-11-12   

Description Pedro Sampaio 2025-09-08 21:41:36 UTC 
HASH(0x5604d82f1d08)
Comment 2 errata-xmlrpc 2025-11-12 15:22:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:21141 https://access.redhat.com/errata/RHSA-2025:21141
Comment 3 errata-xmlrpc 2025-11-12 15:22:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21142 https://access.redhat.com/errata/RHSA-2025:21142
Comment 4 errata-xmlrpc 2025-11-12 16:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21139 https://access.redhat.com/errata/RHSA-2025:21139
Comment 5 errata-xmlrpc 2025-11-12 16:27:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21138 https://access.redhat.com/errata/RHSA-2025:21138
Comment 6 errata-xmlrpc 2025-11-12 17:45:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:21140 https://access.redhat.com/errata/RHSA-2025:21140
Comment 7 errata-xmlrpc 2025-11-17 06:14:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:21448 https://access.redhat.com/errata/RHSA-2025:21448
Comment 8 errata-xmlrpc 2025-11-19 08:11:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:21748 https://access.redhat.com/errata/RHSA-2025:21748
Comment 9 errata-xmlrpc 2025-11-20 05:55:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:21806 https://access.redhat.com/errata/RHSA-2025:21806
Comment 10 errata-xmlrpc 2025-11-20 08:01:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:21821 https://access.redhat.com/errata/RHSA-2025:21821
Comment 11 errata-xmlrpc 2025-11-20 08:05:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:21820 https://access.redhat.com/errata/RHSA-2025:21820
Comment 12 errata-xmlrpc 2025-11-20 08:07:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:21819 https://access.redhat.com/errata/RHSA-2025:21819
Comment 13 errata-xmlrpc 2025-11-20 08:08:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:21818 https://access.redhat.com/errata/RHSA-2025:21818
Comment 14 errata-xmlrpc 2025-12-09 22:20:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:22982 https://access.redhat.com/errata/RHSA-2025:22982