Python KDCProxy Server-Side Request Forgery Vulnerability via DNS SRV Records

A server-side request forgery (SSRF) vulnerability has been identified in Python KDCProxy. This issue arises when KDCProxy receives a request for a realm without defined server addresses. By default, it queries SRV records in the DNS zone of the requested realm. An attacker can exploit this by sending requests that manipulate SRV records to point to arbitrary ports and hostnames, potentially leading to data exfiltration and probing of internal network defenses. The vulnerability affects several Red Hat Enterprise Linux versions, including 8, 9, 9.6 Extended Update Support, and 10.0 Extended Update Support.

Impact

Exploitation allows unauthorized control over server-side requests, which can be directed to internal network resources or loopback addresses. This could bypass firewall protections, probe network topology, and exfiltrate data. Additionally, according to Red Hat, this vulnerability could lead to executing unauthorized code or commands.

Reproduction

To reproduce this vulnerability, send a request to KDCProxy for a realm that lacks server addresses in the configuration. Ensure that the DNS zone for the realm contains SRV records pointing to desired internal resources or loopback addresses. KDCProxy will automatically query these records and establish connections, exploiting the SSRF vulnerability.

Remediation

Update to the latest version of Python KDCProxy. For Red Hat Enterprise Linux users, this update is available through the Red Hat Update System. Consult the Red Hat Enterprise Linux 8, 9, or 10 documentation for specific update instructions.