# Kea 2.6.3 Security Release Notes, May 28, 2025

Welcome to Kea 2.6.3, a security release of the stable 2.6 series.  This
supersedes the previous release, version 2.6.2.

Kea is a DHCP implementation developed by Internet Systems Consortium
(ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST
API; optional database support (MySQL and PostgreSQL); optional RADIUS,
Kerberos, YANG/NETCONF, and GSS-TSIG support; and much more. Kea
provides extensive management capabilities, including but not limited
to: TLS support, Role-Based Access Control, run-time configuration
monitoring and updates via a REST API, host reservations, and client
classification.

The text below references issue numbers. For more details, visit the Kea
GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For
details about Docker issues, visit the page at
https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details
about packaging, visit the page at
https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/.

The following changes and fixes have been made in version 2.6.3:

1. **Security: Default configuration**: Running Kea with access to its
API insufficiently secured poses significant risks and is strongly
discouraged. The default configuration for the Kea Control Agent (CA)
has been updated to enable basic HTTP authentication.  Access to the Kea
API will thus require a password.  It also contains additional examples
of stronger authentication, based on TLS certificates that only allow
access to clients presenting valid TLS certificates. These changes
address CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 [#3825,
#3856].

2. **Security: Hooks files**: To limit the severity of an attack via an
insufficiently protected API, `kea-dhcp4`, `kea-dhcp6`, `kea-dhcp-ddns`,
and `kea-ctrl-agent` now only load hook libraries from the default
installation directory. Kea will not load the hook library if a path
other than the default is specified. For ease of use, the path may be
omitted. This change addresses CVE-2025-32801 [#3830, #3838].

3. **Security: Config files**: To limit the scope of an attack on an
insufficiently protected API, the API command `config-write` will now
only write to the same directory as the configuration file used when Kea
was started (passed as a `—c` argument). This change addresses
CVE-2025-32802 [#3830, #3838].

4. **Security: Lease files**: To mitigate the severity of an attack on
an insufficiently protected API, lease files can now only be loaded from
a defined data directory.  The default data directory is determined
during compilation: `[kea-install-dir]/var/lib/kea`. This path may be
overridden at startup by setting the environment variable
`KEA_DHCP_DATA_DIR` to the desired path. If a path outside the defined
data directory is used in `lease-database.name`, Kea returns an error
and refuses to start or, if already running, aborts and exits. For ease
of use in specifying a custom file name, simply omit the path component
from `name`. This change addresses CVE-2025-32802 [#3831, #3840].

5. **Security: Log files**: To mitigate the severity of an attack on an
insufficiently protected API, log files can now only be written to a
defined output directory.  The default directory is determined during
compilation: `[kea-install-dir]/var/log/kea`. This path may be
overridden at startup by setting the environment variable
`KEA_LOG_FILE_DIR` to the desired path. If a path outside the defined
output directory is used in `loggers.output_options.output`, Kea returns
an error and refuses to start or, if already running, aborts and exits.
For ease of use, simply omit the path component from `output` and
specify only the file name. This change addresses CVE-2025-32802 [#3831,
#3840].

6. **Security: File permissions**: To prevent exposure of potentially
confidential data, files created by Kea now have more restrictive file
permissions. Write access by group and any access by others is now
forbidden. This change addresses CVE-2025-32803 [#3832, #3842].

7. **Security: Sockets**: To prevent unauthorized access and potential
denial of service, sockets can no longer be created in a world-writable
directory, such as `/tmp`. Sockets must now be created in the more
restricted `[kea-install-dir]/var/run/kea`. This change addresses
CVE-2025-32802 [#3831, #3840].

8. **Security: Documentation**: Many sample configuration files have
been updated to reflect changes introduced in this release. In the ARM,
the Kea Security section has been moved to a more prominent location,
and a new section concerning securing the Kea Control Agent has been
added. These changes address CVE-2025-32801, CVE-2025-32802, and
CVE-2025-32803 [#3833, #3844].

9. **Build improvements**: The source code was updated to build with the
latest Boost 1.87 [#3696, #3823].

10. **Documentation update**: Backported a clarification in the ARM
about subnet4-delta-add [#3773, #3869].

## Incompatible Changes

1. The Kea Control Agent (CA) default configuration has API
authentication enabled by default. A password must be stored in the
`kea-api-password` file before the CA can start. This password should be
either generated or provided by the administrator. When upgrading from
older versions, it is strongly recommended not to leave the API channel
unprotected. In addition, users are encouraged to consider enabling even
stronger mechanisms, based on TLS certificates. An appropriately
commented-out section has been added to the default configuration.

2. To mitigate the severity of an attack on an insufficiently protected
API, Kea is now much more restrictive in where it allows files to be
written. Operations that result in writing files (and potentially
overwriting important system files) are no longer liberal in accepting
random paths; the paths are restricted to expected locations for
configuration, lease, DUID, and log files. Many of those can be
overwritten by environment variables, but those are fixed for the entire
lifetime of a process and are no longer modifiable via the API. The new
default configurations have this change applied so new installations are
secured, but please alter your configuration if upgrading.

3. To address potential denial-of-service and spoofing attacks, Kea no
longer creates sockets in `/tmp`, which is a world-writable directory on
most systems. Instead, it uses the
``[kea-installation-dir]/var/run/kea`` directory for sockets. The new
default configurations have this change applied so new installations are
secured, but please alter your configuration if upgrading.

## Known Issues

A problem was discovered that can occur when Kea is configured
incorrectly. This issue can cause the Kea process to print an error and
terminate unexpectedly. For the problem to be triggered, all of the
following conditions need to be met:
1. Global host reservations with an IP address are defined
2. The global reservation mechanism is disabled ("reservations-global":
false)
3. Early global reservation lookup is enabled
("early-global-reservations-lookup": true)
4. A packet is received that matches a defined global host reservation

It would be unusual to encounter the above environment under normal
operation, because with the global reservation mechanism disabled
(Condition 2) it does not make sense to define any global host
reservations (Condition 1) or to enable early global reservation lookup
(Condition 3).

To avoid this unexpected shutdown, one or more of the conditions needs
to be eliminated. This can be achieved in a number of ways:

1. If you are intending to deploy global reservations with the early
reservation lookup feature, make sure that you enable
"reservations-global" at the same time that you enable
"early-global-reservations-lookup" in your configuration.

2. If you are already running Kea with global reservations but wish to
stop using this functionality, temporarily or permanently, ensure that
you disable both "reservations-global" and
"early-global-reservations-lookup" in your configuration.

3. Remove global host reservations for your devices if they are not used.

This issue affects all currently-supported versions of Kea. Although we
have not tested EOL versions, we believe that this condition is present
in all releases from 2.3.5 onwards.

Future Kea versions will have improved error handling and will prevent
this issue from happening.

## Acknowledgments

ISC would like to thank Matthias Gerstner from the SUSE security team
and Laura Pardo from Red Hat's Product Security Team for bringing this
vulnerability to our attention.

## License

This version of Kea is released under the Mozilla Public License,
version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

Some Kea hook libraries are provided under the MPL 2.0; others are
licensed with the Kea Hooks Basic Commercial End User License. The
source for each hook library includes the applicable license.

## Download

Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:

https://cloudsmith.io/~isc/repos/

Pre-built Docker images and well as Docker files are available. For
details, see:

https://gitlab.isc.org/isc-projects/kea-docker

The Kea source and PGP signature for this release may be downloaded from:

https://www.isc.org/download

The signature was generated with the ISC code-signing key, which is
available at:

https://www.isc.org/pgpkey

ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual.
Documentation is included with the installation or at
https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB
formats. ISC maintains a public open source code tree, wiki, issue
tracking system, milestone planner, and roadmap at
https://gitlab.isc.org/isc-projects/kea.

Limitations and known issues with this release can be found at
https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list.

We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list
(https://lists.isc.org/mailman/listinfo/kea-users). We would also like
to hear whether the documentation is adequate and accurate. Please open
tickets in the Kea GitLab project for bugs, documentation omissions and
errors, and enhancement requests. We want to hear from you even if
everything worked.

## Support

Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea maintenance is funded
with support subscriptions. For more information on ISC's Kea software
support, see https://www.isc.org/support/.

Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/community/mailing-list. If you have any comments or
questions about working with Kea, please share them to the Kea Users
list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and
feature requests may be submitted via GitLab at
https://gitlab.isc.org/isc-projects/kea/-/issues.

## Changes

The following summarizes changes and important upgrades since the
previous release, version 2.6.2.

2266.	[build]		andrei
	The library version numbers have been bumped up for the Kea 2.6.3
	stable release.
	(Gitlab #3891)

2265.	[sec]*		fdupont
	Change the umask to no group write and no other access
	at the entry of Kea server/agent binaries.
	CVE:2025-32803
	(Gitlab #3842, #3832)

2264.	[sec]*		tmark
	kea-dhcp4, kea-dhcp6, kea-dhcp-ddns, and kea-ctrl-agent will
	now only load hook libraries from the default installation
	directory.  If a path other than this is specified Kea will
	not load the hook library.  For ease of use, the path may be
	omitted.
	CVE:2025-32801
	(Gitlab #3838, #3830)

2263.	[build]		fdupont, q66
	Kea can now build with Boost 1.87. The minimum supported Boost
	version has been bumped up from 1.57 to 1.66. Thanks to q66
	for the patch.
	(Gitlab #3823, #3696)

2262.	[build]		dim
	Replace ``std::basic_string<uint8_t>`` with equivalent
	``std::vector<uint8_t>`` constructs, since the former has been
	deprecated for a while in libc++, and has been completely
	removed as of libc++ 19.
	(Gitlab #3823, #3532)

There were no changes to the hook libraries, but please update hook
libraries to the 2.6.3 version when updating your core application(s).

Thank you again to everyone who assisted us in making this release
possible.

We look forward to receiving your feedback.