CVE-2025-11232
📋 TL;DR
A configuration-dependent denial-of-service vulnerability in ISC Kea DHCP server versions 3.0.1-3.0.1 and 3.1.1-3.1.2. When specific configuration parameters are set (hostname-char-set default, hostname-char-replacement empty, ddns-qualifying-suffix non-empty), a malicious DHCP client can send specially crafted option content causing kea-dhcp4 to crash unexpectedly. This affects organizations running vulnerable Kea DHCP servers with the specific configuration.
💻 Affected Systems
- ISC Kea DHCP Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete DHCP service outage affecting all network clients, preventing IP address assignment and network connectivity for all devices relying on DHCP.
Likely Case
Intermittent DHCP service crashes requiring manual restart, causing temporary network connectivity issues for clients.
If Mitigated
No impact if configuration is adjusted or patched; service remains stable with proper input validation.
🎯 Exploit Status
Exploitation requires sending malicious DHCP option content, which any DHCP client could potentially do. The specific configuration requirement makes widespread exploitation less likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.0.1 and 3.1.2
Vendor Advisory: https://kb.isc.org/docs/cve-2025-11232
Restart Required: Yes
Instructions:
1. Upgrade Kea DHCP to version 3.0.2 or later for 3.0.x branch, or 3.1.3 or later for 3.1.x branch. 2. Stop Kea DHCP service. 3. Install updated package. 4. Restart Kea DHCP service. 5. Verify service is running and stable.
🔧 Temporary Workarounds
Configuration Adjustment
allSet ddns-qualifying-suffix to empty (default) to avoid the vulnerable configuration combination.
Edit Kea configuration file (typically kea-dhcp4.conf) and set "ddns-qualifying-suffix": "" or remove the parameter entirely.
Alternative Configuration Change
allChange hostname-char-replacement to a non-empty value or modify hostname-char-set from default.
Edit Kea configuration file and set "hostname-char-replacement": "-" or modify "hostname-char-set" parameter.
🧯 If You Can't Patch
- Apply configuration workaround by setting ddns-qualifying-suffix to empty or adjusting other vulnerable parameters.
- Implement network segmentation to restrict which clients can communicate with DHCP server, reducing attack surface.
🔍 How to Verify
Check if Vulnerable:
Check Kea version with 'kea-dhcp4 -V' and examine configuration file for vulnerable parameter combination: hostname-char-set default ([^A-Za-z0-9.-]), hostname-char-replacement empty, AND ddns-qualifying-suffix NOT empty.Check Version:
kea-dhcp4 -VVerify Fix Applied:
After patching, verify version is 3.0.2+ or 3.1.3+ with 'kea-dhcp4 -V'. Test DHCP service stability with client requests.📡 Detection & Monitoring
Log Indicators:
- Unexpected kea-dhcp4 process termination
- DHCP service crash logs
- Restart messages in system logs
- Error messages related to option processing
Network Indicators:
- DHCP service unresponsive to DISCOVER/REQUEST packets
- Increased DHCP retransmissions from clients
- Abnormal DHCP option content in packet captures
SIEM Query:
source="kea.log" AND ("crash" OR "terminated" OR "segmentation fault" OR "unexpected exit")