Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN555
_____________________________________________________________________

DATE                : 28/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running ISC KEA versions prior to
                                 3.0.1, 3.1.1.

=====================================================================
https://kb.isc.org/docs/cve-2025-40779
_____________________________________________________________________

CVE-2025-40779: Kea crash upon interaction between specific client
options and subnet selection


    Published on Aug 27, 2025 
    Ben Scott


CVE: CVE-2025-40779

Title: Kea crash upon interaction between specific client options
and subnet selection

Document version: 2.0

Posting date: 27 August 2025

Program impacted: Kea

Versions affected:

 Kea

    2.7.1 -> 2.7.9
    3.0.0
    3.1.0

Versions NOT affected:

 Kea

    2.6.0 -> 2.6.4

(Versions prior to 2.6.0 were not assessed.)

Versions prior to 2.6.0 are likely unaffected, but were not assessed,
as they are end-of-life (EOL).


Severity: High

Exploitable: Remotely

Description:

If a DHCPv4 client sends a request with some specific options, and Kea
fails to find an appropriate subnet for the client, the kea-dhcp4
process will abort with an assertion failure. This happens only if the
client request is unicast directly to Kea; broadcast messages do not
cause the problem.


Impact:

Denial of service. A malicious or misconfigured DHCP client can crash
the Kea DHCPv4 service by sending a single packet.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.


Workarounds:

No workarounds known.

Active exploits:

We are not aware of any active exploits.


Solution:

Upgrade to the patched release most closely related to your current
version of Kea:

    3.0.1
    3.1.1


Acknowledgments:

ISC would like to thank the following for bringing this vulnerability
to our attention:

    Jochen M.
    Martin Dinev, Trading212
    Ashwani Kumar, Post Graduate Institute of Medical Education & Research,
Chandigarh, India
    Bret Giddings, University of Essex
    Florian Ritterhoff, Munich University of Applied Sciences


Document revision history:

    1.0 Early Notification, 20 August 2025
    2.0 Public disclosure, 27 August 2025

Do you still have questions? Questions regarding this advisory should be
mailed to kea-security@isc.org or posted as confidential GitLab issues at
https://gitlab.isc.org/isc-projects/kea/-/issues/new?issue[confidential]=true.


Note:

ISC patches only currently supported versions. When possible we indicate EOL
versions affected. For current information on which versions are actively
supported, please see https://www.isc.org/download/.


ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be found in
the ISC Software Defect and Security Vulnerability Disclosure Policy at
https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2025-40779 is
the complete and official security advisory document.


Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice
and none should be implied. ISC expressly excludes and disclaims any
warranties regarding this notice or materials referred to in this notice,
including, without limitation, any implied warranty of merchantability,
fitness for a particular purpose, absence of hidden defects, or of
non-infringement. Your use or reliance on this notice or materials
referred to in this notice is at your own risk. ISC may change this
notice at any time. A stand-alone copy or paraphrase of the text of
this document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of date,
or contain factual errors.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================