CVE-2025-59088

Summary

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.

Affected Software

VendorProductVersion RangeStatus
latchsetkdcproxy0 < 1.1.0affected
Red HatRed Hat Enterprise Linux 100:1.0.0-19.el10_1 < *unaffected
Red HatRed Hat Enterprise Linux 10.0 Extended Update Support0:1.0.0-19.el10_0 < *unaffected
Red HatRed Hat Enterprise Linux 7 Extended Lifecycle Support0:0.3.2-3.el7_9.3 < *unaffected
Red HatRed Hat Enterprise Linux 88100020251103113748.143e9e98 < *unaffected
Red HatRed Hat Enterprise Linux 88100020251028161822.823393f5 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support8020020251106022345.792f4060 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support8040020251103205102.5b01ab7e < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On8040020251103205102.5b01ab7e < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support8060020251030180424.ada582f1 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Telecommunications Update Service8060020251030180424.ada582f1 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions8060020251030180424.ada582f1 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Telecommunications Update Service8080020251029082621.b0a6ceea < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Update Services for SAP Solutions8080020251029082621.b0a6ceea < *unaffected
Red HatRed Hat Enterprise Linux 90:1.0.0-9.el9_7 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions0:1.0.0-7.el9_0.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutions0:1.0.0-7.el9_2.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support0:1.0.0-7.el9_4.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.6 Extended Update Support0:1.0.0-9.el9_6 < *unaffected

Weaknesses

  • CWE-918: Server-Side Request Forgery (SSRF)

Workarounds

To mitigate this issue before a final fix can be applied, set "use_dns" parameter to false in the global section of the kdcproxy.conf file. This will disable the use of DNS to find Active Directory servers so it may break the service if DNS is needed.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References