A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate

CVE-2019-6474

5.7MEDIUM

Key Information

Vendor: Isc
Status: Kea
Vendor: CVE Published:; 28 August 2019

Summary

A missing check on incoming client requests can be exploited to cause a situation where the Kea server's lease storage contains leases which are rejected as invalid when the server tries to load leases from storage on restart. If the number of such leases exceeds a hard-coded limit in the Kea code, a server trying to restart will conclude that there is a problem with its lease store and give up. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2

Affected Version(s)

Kea = 1.4.0 to 1.5.0

Kea = 1.6.0-beta1

Kea = 1.6.0-beta2

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: 6.5 to: 5.7 - (MEDIUM)
Feb 22, 2024
Vulnerability published.
Aug 28, 2019
Vulnerability Reserved.
Jan 16, 2019

Collectors

NVD DatabaseMitre Database