Amazon Linux 2 Security Advisory: ALAS2-2025-3085
Advisory Released Date: 2025-12-08
Advisory Updated Date: 2025-12-10
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
Amazon Linux Fix: The update, python-kdcproxy-0.3.3-1.amzn2.0.1, restricts DNS lookups to only explicitly configured Kerberos realms, preventing unauthorized network scanning. The fix introduces support for wildcard realm patterns to accommodate hierarchical structures, and adds optional parameters ("dns_realm_discovery" and "silence_port_warn") for backward compatibility. See package README for more information.
Action Required:
- If "use_dns" is set to false in your configuration; No action required - If "use_dns" is true and you already define trusted realms in your configuration; No action required - If "use_dns" is true and you rely on automatic DNS discovery; You must add your trusted realms to your configuration (CVE-2025-59088)
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new
buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response
header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients. (CVE-2025-59089)
Affected Packages:
python-kdcproxy
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python-kdcproxy or yum update --advisory ALAS2-2025-3085 to update your system.
noarch:
python-kdcproxy-0.3.3-1.amzn2.0.1.noarch
src:
python-kdcproxy-0.3.3-1.amzn2.0.1.src
2025-12-10: The description for CVE-2025-59088 was updated.