Summary of Security Vulnerabilities in Kea DHCP Server Suite
On May 28, 2025, Matthias Gerstner reported significant vulnerabilities in the Kea DHCP server suite, primarily affecting local users on various Linux and BSD distributions. The Internet Systems Consortium (ISC) initially disclosed three major vulnerabilities—CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803—during their routine security review. These vulnerabilities enable local root exploits and unauthorized access to the REST API without proper authentication.
Overview of Kea DHCP
Kea is the modern replacement for ISC’s classic DHCP server software, featuring a REST API controlled by the kea-ctrl-agent. The agent facilitates communications between DHCP services, relying heavily on JSON-based requests and commands. Often, these services run with elevated privileges or utilize dedicated service credentials. The study revealed that the default configurations expose significant security risks, primarily due to an unauthenticated API and improperly secured file paths.
Identified Security Issues
-
Local Privilege Escalation (CVE-2025-32801): Through the
set-configREST command, attackers can inject malicious hook libraries. By redirecting Kea to load a user-controlled library, attackers can achieve arbitrary code execution as the user running the Kea processes, resulting in severe security breaches. -
Arbitrary File Overwrite (CVE-2025-32802): The
config-writecommand enables attackers to write to arbitrary file paths, including system-critical files. The exploitation allows an attacker to potentially inject harmful content into configuration files, leading to a local denial-of-service. -
Log File Redirection: Attackers can redefine log file paths, potentially exposing sensitive information through increased logging verbosity or inappropriate file locations.
-
Service Spoofing with UNIX Sockets: If the
kea-ctrl-agentattempts to connect to non-existent services, an attacker could bind a socket in a public directory to intercept commands sent to these services. -
Denial-of-Service via Socket Manipulation: The use of public directories like
/tmpfor UNIX sockets allows attackers to disrupt the running of services by pre-creating socket files or lock files. - Information Leakage through World-Readable Files: DHCP lease files and log files are accessible to all local users, facilitating potential privacy violations and information leaks.
Hardening Recommendations
The report recommends various strategies for enhancing Kea’s security posture, including:
- Enforcing authentication on the REST API by default.
- Restricting socket paths and writable file directories to trusted locations.
- Modifying the way HTTP Basic Auth credentials are handled to prevent potential timing attacks.
Bug Fixes Implemented
The ISC promptly closed these vulnerabilities by releasing bugfix versions (2.4.2, 2.6.3, 2.7.9). The updates include:
- Restricting file and socket permissions to secure directories.
- Implementing authentication for REST API access.
- Modifying access controls on log and state directories to mitigate the information leakage risks.
Vulnerable Distributions
Various distributions, including Arch Linux, Debian, and Fedora, were assessed for vulnerability exposure. The response to the vulnerabilities varied, with some distributions offering stronger configurations (e.g., AppArmor on Debian) that mitigated specific risks while others remained highly affected due to default settings and configurations.
In conclusion, the report by Matthias Gerstner highlights critical security issues in the Kea DHCP suite while emphasizing the need for robust configurations and security practices in software deployments. The rapid response from ISC and subsequent fixes reinforce the importance of vigilance in software security, particularly for services running with elevated privileges.