Описание
Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
A flaw was found in the Kea package, where an unprivileged user can instruct Kea to load a hook library from any arbitrary local file. This hook can then be executed using the same privileges that Kea runs under. This vulnerability allows an attacker with access to a local, unprivileged account to introduce a malicious local hook library, which Kea will execute, achieving arbitrary code execution and privilege escalation.
Отчет
This vulnerability is rated as an Important severity because the vulnerability was found in the configuration and API directives related to hook library loading, it is a local privilege escalation flaw triggered when an attacker with local unprivileged access instructs Kea to load a malicious hook library, which is possible if the API entry points are unsecured or control sockets are in insecure paths. This leads to arbitrary code execution enabling an attacker to gain unauthorized access to sensitive data, alter critical system configurations, and disrupt service availability.
Меры по смягчению последствий
This vulnerability can be mitigated via one of the two following alternatives:
- Disable the Kea API entirely by disabling the kea-ctrl-agent and removing any control-socket stanzas from the Kea configuration files.
- Configure the API to require authentication for the kea-ctrl-agent and configuring all "control-socket" stanzes to use a directory restricted to trusted users.
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
Kea configuration and API directives can be used to load a malicious h ...
Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
EPSS
7.8 High
CVSS3