Red Hat KDCProxy Unbounded TCP Buffering Vulnerability Leading to Remote Denial-of-Service

A denial-of-service vulnerability has been identified in Red Hat KDCProxy. The issue arises when KDCProxy is manipulated to connect to a malicious Key Distribution Center (KDC) server, potentially through server-side request forgery. KDCProxy fails to properly limit the length of TCP responses, allowing attackers to send excessive data that is not appropriately managed. This unbounded buffering leads to significant memory consumption and increased CPU usage. The vulnerability can cause the accept queue to overflow, disrupting service for legitimate clients.

Impact

Exploitation of this vulnerability causes high resource consumption on the server, particularly in memory and CPU, leading to a denial-of-service condition. This can be exacerbated by multiple concurrent requests, which can overwhelm the server's accept queue and disrupt service for legitimate users.

Reproduction

To reproduce this vulnerability, KDCProxy must be configured to use DNS discovery for KDCs. Once this is set, an attacker can control a DNS zone to direct KDCProxy to a KDC server they control. As KDCProxy processes the response from the KDC, it will accept and buffer the data without proper length checks, allowing the attacker to send more data than the application can handle. This excess data consumption will continue until the connection times out, approximately 12 seconds later, causing the server to run out of available resources.

Remediation

Users can update to the latest version of KDCProxy, which includes fixes for this vulnerability. Instructions for applying this update are available on the Red Hat Customer Portal.