CVE-2025-40779
📋 TL;DR
A denial-of-service vulnerability in ISC Kea DHCPv4 server where a malicious DHCP client sending unicast requests with specific options can cause the kea-dhcp4 process to crash via assertion failure. This affects Kea DHCP servers running vulnerable versions when processing direct unicast client requests.
💻 Affected Systems
- ISC Kea DHCP Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete DHCP service outage requiring manual restart of kea-dhcp4 process, disrupting network connectivity for all DHCP clients.
Likely Case
Intermittent DHCP service disruption affecting clients attempting to obtain or renew leases during attack periods.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and respond to crashes quickly.
🎯 Exploit Status
Exploitation requires sending crafted DHCPv4 unicast packets with specific options. No authentication needed as DHCP is typically unauthenticated protocol.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.10, 3.1.1, or later versions
Vendor Advisory: https://kb.isc.org/docs/cve-2025-40779
Restart Required: Yes
Instructions:
1. Backup current Kea configuration. 2. Upgrade to patched version using package manager (apt/yum) or compile from source. 3. Restart kea-dhcp4 service: systemctl restart kea-dhcp4. 4. Verify service is running and clients can obtain leases.
🔧 Temporary Workarounds
Block Unicast DHCP Requests
linuxConfigure firewall to block unicast DHCP requests from untrusted sources while allowing broadcast DHCP traffic.
iptables -A INPUT -p udp --dport 67 -s 0.0.0.0/0 -d <server_ip> -j DROP
iptables -A INPUT -p udp --dport 67 -s 255.255.255.255 -j ACCEPT
Implement DHCP Relay Protection
allConfigure network to only allow DHCP requests through trusted DHCP relay agents.
🧯 If You Can't Patch
- Implement strict network segmentation to limit which clients can send unicast DHCP requests to the server
- Deploy monitoring and automated restart for kea-dhcp4 process to minimize service disruption
🔍 How to Verify
Check if Vulnerable:
Check Kea version: kea-dhcp4 --version. If version is between 2.7.1-2.7.9, 3.0.0, or 3.1.0, system is vulnerable.Check Version:
kea-dhcp4 --version | grep -oP 'Kea DHCP \K[0-9.]+'Verify Fix Applied:
After upgrade, verify version is 2.7.10+, 3.1.1+, or later. Test DHCP functionality with legitimate client requests.📡 Detection & Monitoring
Log Indicators:
- kea-dhcp4 process crash/restart logs
- Assertion failure messages in Kea logs
- DHCP service interruption alerts
Network Indicators:
- Unusual unicast DHCP traffic patterns
- DHCP DISCOVER/OFFER/REQUEST/ACK anomalies
SIEM Query:
process:kea-dhcp4 AND (event:crash OR event:restart) OR dhcp.request_type:unicast AND dhcp.options:*