An extension to hooks capabilities which debuted in Kea 1.4.0 introduced a memory leak for operators who are using certain hooks library facilities. In order to support multiple requests simultaneously, Kea 1.4 added a callout handle store but unfortunately the initial implementation of this store does not properly free memory in every case. Hooks which make use of query4 or query6 parameters in their callouts can leak memory, resulting in the eventual exhaustion of available memory and subsequent failure of the server process. Affects Kea DHCP 1.4.0.
CWE-ID: CWE Name: Only servers using hooks which make use of the callout handle store are affected. A Kea server which is using one or more hooks libraries that exhibit this problem will increase its memory use over time, with the rate of increase being proportional to the amount of DHCP traffic processed. Eventually, due to uncontrolled growth, the server will either exhaust all system memory or, if the administrator has set a per-process memory limit, will hit that limit, after which point further memory allocations will fail and the Kea server will crash.
An attacker who is within the broadcast domain of the Kea server or in a network which is permitted to relay DHCP traffic to the Kea server can hasten the arrival of this outcome by deliberately sending a large volume of requests to the Kea server.
Ability to deliberately trigger this vulnerability depends on the hooks libraries used and the hook points used for callouts. Our scoring for this vulnerability is based on the hook points used for hook libraries distributed by ISC and also based on the assumption that the Kea server does not accept arbitrary traffic from the internet (but is protected, e.g. by firewall, and only accepts DHCP traffic from the local broadcast domain and from nearby networks via authorized DHCP relay agents.) We cannot score every combination, but the risk could be higher to custom-developed hook libraries using other hook points or to servers which accept arbitrary DHCP traffic without restriction. Source: ISC
Common Attack Pattern Enumeration and Classification (CAPEC)