CVE-2019-6472 : Vulnerability Insights and Analysis
Learn about CVE-2019-6472 affecting Kea DHCPv6 server versions 1.4.0 to 1.5.0 and 1.6.0-beta1/2. Find out the impact, exploitation, and mitigation steps to prevent service denial.
Kea DHCPv6 server vulnerability allows termination due to malformed DUID packets.
Understanding CVE-2019-6472
A vulnerability in the Kea DHCPv6 server process can lead to service denial by terminating when receiving improperly formatted DUID packets.
What is CVE-2019-6472?
The Kea DHCPv6 server (kea-dhcp6) may exit unexpectedly if it receives a packet with a malformed DUID, affecting versions 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2.
The Impact of CVE-2019-6472
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Availability Impact: High
- Base Score: 6.5 (Medium Severity)
- The vulnerability allows an attacker to terminate the DHCPv6 server, denying service to clients.
Technical Details of CVE-2019-6472
Vulnerability Description
The issue arises from improperly formatted DUID packets causing the Kea DHCPv6 server to terminate unexpectedly.
Affected Systems and Versions
- Kea versions 1.4.0 to 1.5.0
- Kea version 1.6.0-beta1
- Kea version 1.6.0-beta2
Exploitation Mechanism
An attacker sending a request with a malformed DUID can trigger the DHCPv6 server process termination, affecting only the DHCPv6 service.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to fixed versions: Kea 1.4.0-P2, Kea 1.5.0-P1, Kea 1.6.0
Long-Term Security Practices
- Regularly update Kea to the latest versions
- Implement network segmentation and access controls
Patching and Updates
Upgrade to a version of Kea containing a fix available at ISC's downloads page.