ISC has disclosed three vulnerabilities in Kea
a year ago
- #Kea-DHCP
- #security
- #vulnerability
- Three vulnerabilities in Kea DHCP server suite were disclosed (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803).
- CVE-2025-32801 allows local privilege escalation via hook library injection.
- CVE-2025-32802 involves arbitrary file overwrite via the 'config-write' command.
- CVE-2025-32803 relates to world-readable DHCP lease and log files, leading to information leaks.
- The vulnerabilities affect multiple Linux and BSD distributions with varying degrees of severity.
- Upstream has released bugfix versions (2.4.2, 2.6.3, 2.7.9) addressing these issues.
- Hardening suggestions include enforcing authentication on the REST API and restricting file permissions.
- A detailed timeline of the disclosure process is provided, starting from initial reporting to public disclosure.