On Wed, 22 Jul 2015, Christian Heimes wrote:
On 2015-07-22 20:38, Nathaniel McCallum wrote:
On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
On 2015-07-22 20:23, Nathaniel McCallum wrote:
Related: CVE-2015-5159


The patch prevents a flood attack but I consider more a workaround
a solution. I'll update kdcproxy tomorrow.

The problem is that while we can provide a sane default, special
applications might require different sizes (either smaller or larger).
I think this fix is acceptable since it keeps the solution entirely
within the configuration domain.

The python-kdcproxy package may be used by other parties with different
web servers. I also like to see a countermeasure in kdcproxy. Other
installations should not fall victim to the same issue.

How about we set the default maximum size to a rather large value (like
5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very,
very large for a Kerberos request but still prevents DoS and OOM killer
Even with Microsoft implementations, Max Token Size could be way less
(it is set to 12000 bytes by default). There is hard limit of 1015 group
a user could be a member of, thus even if all of those groups were
specified as SIDs (coming from different domains), you'd get
(8+15*4)*1015=69020 bytes plus the rest which is lower than 30000 bytes
for sure. Thus setting it as 100KiB would be enough.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to