ISC Kea Insecure File Overwrite Vulnerability Allowing Local Attacks

A vulnerability in ISC Kea DHCP server versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8 allows for arbitrary file overwriting, depending on the permissions assigned to Kea. Commonly, Kea is run as root, with unsecured API entry points and control sockets in vulnerable locations. This exploitation could lead to unauthorized modification of Kea's configuration or overwriting of files accessible to the Kea process. If Kea is executed as root, any local file could be overwritten, potentially causing a system-wide denial of service or local privilege escalation.

Impact

Exploitation of this vulnerability could allow a local user with an unprivileged account to overwrite files or modify the Kea configuration, especially if the Kea process is running as root. This could lead to local privilege escalation or a denial of service across the system. Additionally, if control sockets are in an insecure location, it could allow impersonation of a Kea service or disrupt the normal operation of the Kea server.

Remediation

Users can upgrade to Kea versions 2.4.2, 2.6.3, or 2.7.9. For those using versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, or 2.7.0 through 2.7.8, it is recommended to upgrade to the next available version. If using an end-of-life version, consult the ISC website for guidance on upgrading.