As far as I can tell, this bug dates back to the original implementation of the kpasswd service in our code. A possible simple mitigation is to block UDP packets destined for the kpasswd service if they have a source port of 464 (possibly also 7 (echo), 19 (chargen), etc., or anything < 1024 if you're being especially paranoid).