[Freeipa-devel] [PATCH 0085] Limit request sizes to /KdcProxy

[Alexander Bokovoy]

On Wed, 22 Jul 2015, Christian Heimes wrote:
>On 2015-07-22 20:38, Nathaniel McCallum wrote:
>> On Wed, 2015-07-22 at 20:34 +0200, Christian Heimes wrote:
>>> On 2015-07-22 20:23, Nathaniel McCallum wrote:
>>>> Related: CVE-2015-5159
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1245200
>>>
>>> The patch prevents a flood attack but I consider more a workaround
>>> than
>>> a solution. I'll update kdcproxy tomorrow.
>>
>> The problem is that while we can provide a sane default, special
>> applications might require different sizes (either smaller or larger).
>> I think this fix is acceptable since it keeps the solution entirely
>> within the configuration domain.
>
>The python-kdcproxy package may be used by other parties with different
>web servers. I also like to see a countermeasure in kdcproxy. Other
>installations should not fall victim to the same issue.
>
>How about we set the default maximum size to a rather large value (like
>5 or 10 MB) and make it configurable in kdcproxy.conf? 5 MB is very,
>very large for a Kerberos request but still prevents DoS and OOM killer
Even with Microsoft implementations, Max Token Size could be way less
(it is set to 12000 bytes by default). There is hard limit of 1015 group
a user could be a member of, thus even if all of those groups were
specified as SIDs (coming from different domains), you'd get
(8+15*4)*1015=69020 bytes plus the rest which is lower than 30000 bytes
for sure. Thus setting it as 100KiB would be enough.

-- 
/ Alexander Bokovoy