CVE-2025-32801: 
Rocky Linux vulnerability analysis and mitigation

CVE-2025-32801 is a high-severity vulnerability discovered in Kea DHCP server suite, disclosed on May 28, 2025. The vulnerability affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. The issue allows loading of malicious hook libraries through Kea configuration and API directives, particularly concerning in configurations where Kea runs as root with unsecured API entry points (ISC KB).

The vulnerability involves the ability to load malicious hook libraries through Kea configuration and API directives. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with high impact potential. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (ISC KB, NVD).

If successfully exploited, an attacker with access to a local unprivileged user account can instruct Kea to load a hook library from an arbitrary local file, including files introduced by the attacker. The malicious hook would execute with the privileges available to Kea, which often runs as root, potentially leading to complete system compromise (ISC KB, Wiz).

Two mitigation approaches are available: 1) Disable the Kea API entirely by disabling the kea-ctrl-agent and removing any 'control-socket' stanzas from the Kea configuration files, or 2) Secure API access by requiring authentication and configuring all 'control-socket' stanzas to use a directory restricted to only trusted users. Additionally, patched versions (2.4.2, 2.6.3, and 2.7.9) have been released to address this vulnerability (ISC KB).

The vulnerability was responsibly disclosed with acknowledgments to Matthias Gerstner from the SUSE security team and Laura Pardo from Red Hat's Product Security Team for bringing this vulnerability to ISC's attention (ISC KB).