US CERT issues security advisory on Kea server for memory flaw
US CERT issues security advisory on Kea server for memory flaw

US-CERT issued a security advisory, rated medium, for Kea DHCP version 1.4.0 that could cause memory leakage resulting in the failure of memory locations and a server crash.

The flaw, CVE-2018-5739, takes advantage of a previous issue where callout handle store added during an earlier update did not always properly free memory resulting in the eventual exhaustion of available memory and failure of the server. Essentially, if too many requests are sent the server will consume all system memory or, if a per-process memory limit is set, will hit that limit, after which point further memory allocations will fail and the Kea server will crash.

Kea is an open-source DHCP server developed by the Internet Systems Consortium (ISC).

“An attacker within the broadcast domain of a Kea server or is on a network that can relay DHCP traffic to the Kea server can hasten the arrival of this outcome by deliberately sending a large volume of requests to the Kea server,” ISC said.

US CERT noted this vulnerability is not being actively exploited, but the problem is such that even without an outside actor attacking a system with extra traffic, the memory allocation of the server will grow over time eventually causing a memory issue.

ISC recommends upgrading to Kea 1.4.0-P1.