CVE-2019-6472 - OpenCVE

A packet containing a malformed DUID can cause the Kea DHCPv6 server process (kea-dhcp6) to exit due to an assertion failure. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:A/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Isc	Kea

Configuration 1 [-]

OR	cpe:2.3:a:isc:kea::::::::
	cpe:2.3:a:isc:kea:1.6.0:beta1::::::
	cpe:2.3:a:isc:kea:1.6.0:beta2::::::

References

Link	Resource
https://kb.isc.org/docs/cve-2019-6472	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: isc

Published: 2019-08-28T00:00:00

Updated: 2019-10-16T17:22:16

Reserved: 2019-01-16T00:00:00

Link: CVE-2019-6472

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-10-16T18:15:37.043

Modified: 2019-12-05T14:28:50.940

Link: CVE-2019-6472

JSON object: View

Redhat Information

No data.

CWE

CWE-617

{"containers": {"cna": {"affected": [{"product": "Kea", "vendor": "ISC", "versions": [{"status": "affected", "version": "1.4.0 to 1.5.0"}, {"status": "affected", "version": "1.6.0-beta1"}, {"status": "affected", "version": "1.6.0-beta2"}]}], "datePublic": "2019-08-28T00:00:00", "descriptions": [{"lang": "en", "value": "A packet containing a malformed DUID can cause the Kea DHCPv6 server process (kea-dhcp6) to exit due to an assertion failure. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "An attacker who is able to send a request containing a malformed DUID to the server (either directly or via a relay) can cause the DHCPv6 server process to terminate, denying service to clients. Only the DHCPv6 service is affected by this vulnerability.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-16T17:22:16", "orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kb.isc.org/docs/cve-2019-6472"}], "solutions": [{"lang": "en", "value": "Upgrade to a version of Kea containing a fix, available via\n https://www.isc.org/downloads.\n\n - Kea 1.4.0-P2\n - Kea 1.5.0-P1\n - Kea 1.6.0"}], "source": {"discovery": "INTERNAL"}, "title": "A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate", "x_generator": {"engine": "Vulnogram 0.0.8"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-officer@isc.org", "DATE_PUBLIC": "2019-08-28T21:08:44.000Z", "ID": "CVE-2019-6472", "STATE": "PUBLIC", "TITLE": "A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kea", "version": {"version_data": [{"version_value": "1.4.0 to 1.5.0"}, {"version_value": "1.6.0-beta1"}, {"version_value": "1.6.0-beta2"}]}}]}, "vendor_name": "ISC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A packet containing a malformed DUID can cause the Kea DHCPv6 server process (kea-dhcp6) to exit due to an assertion failure. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2."}]}, "generator": {"engine": "Vulnogram 0.0.8"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "An attacker who is able to send a request containing a malformed DUID to the server (either directly or via a relay) can cause the DHCPv6 server process to terminate, denying service to clients. Only the DHCPv6 service is affected by this vulnerability."}]}]}, "references": {"reference_data": [{"name": "https://kb.isc.org/docs/cve-2019-6472", "refsource": "CONFIRM", "url": "https://kb.isc.org/docs/cve-2019-6472"}]}, "solution": [{"lang": "en", "value": "Upgrade to a version of Kea containing a fix, available via\n https://www.isc.org/downloads.\n\n - Kea 1.4.0-P2\n - Kea 1.5.0-P1\n - Kea 1.6.0"}], "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "assignerShortName": "isc", "cveId": "CVE-2019-6472", "datePublished": "2019-08-28T00:00:00", "dateReserved": "2019-01-16T00:00:00", "dateUpdated": "2019-10-16T17:22:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:kea:*:*:*:*:*:*:*:*", "matchCriteriaId": "27BBC7E1-37AF-4BC6-BA53-09CF7B8921BB", "versionEndIncluding": "1.5.0", "versionStartIncluding": "1.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:kea:1.6.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "43793833-7D0F-4C7C-80B4-F8563AD23607", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:kea:1.6.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "AECDE26A-DDFD-4035-A08E-E7A5CA37F1E8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A packet containing a malformed DUID can cause the Kea DHCPv6 server process (kea-dhcp6) to exit due to an assertion failure. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2."}, {"lang": "es", "value": "Un paquete que contiene un DUID malformado puede hacer que el proceso del servidor Kea DHCPv6 (kea-dhcp6) se cierre debido a un error de aserci\u00f3n. Versiones afectadas: 1.4.0 hasta 1.5.0, 1.6.0-beta1 y 1.6.0-beta2."}], "id": "CVE-2019-6472", "lastModified": "2019-12-05T14:28:50.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-officer@isc.org", "type": "Secondary"}]}, "published": "2019-10-16T18:15:37.043", "references": [{"source": "security-officer@isc.org", "tags": ["Vendor Advisory"], "url": "https://kb.isc.org/docs/cve-2019-6472"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}