CVE-2019-6473 : Security Advisory and Response
Learn about CVE-2019-6473 affecting Kea DHCPv4 server versions 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2. Discover the impact, technical details, and mitigation steps for this vulnerability.
A vulnerability in the Kea DHCPv4 server process could allow an attacker to cause denial of service by triggering an assertion failure. This CVE affects versions 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2.
Understanding CVE-2019-6473
This CVE involves a specific issue in the Kea DHCPv4 server process that can lead to service disruption.
What is CVE-2019-6473?
The vulnerability in the Kea DHCPv4 server process can be exploited by an attacker to halt the server's execution, impacting DHCPv4 service availability.
The Impact of CVE-2019-6473
- Severity: Medium
- CVSS Base Score: 6.5
- Attack Vector: Adjacent Network
- Availability Impact: High
- Affected Systems: Kea versions 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2
Technical Details of CVE-2019-6473
This section provides detailed technical insights into the vulnerability.
Vulnerability Description
The vulnerability arises from encountering an invalid hostname option, leading to an assertion failure in the Kea DHCPv4 server process.
Affected Systems and Versions
- Kea versions 1.4.0 to 1.5.0
- Kea version 1.6.0-beta1
- Kea version 1.6.0-beta2
Exploitation Mechanism
An attacker can deliberately exploit this vulnerability by sending a packet with a malformed DUID, causing the kea-dhcp4 server to terminate.
Mitigation and Prevention
Protect your systems from CVE-2019-6473 with the following measures.
Immediate Steps to Take
- Upgrade to a fixed version of Kea available at ISC downloads.
Long-Term Security Practices
- Regularly update Kea to the latest versions.
- Implement network segmentation to minimize attack surface.
Patching and Updates
Ensure timely patching and updates to mitigate the vulnerability effectively.