Parsing Vulnerability in NTPsec Affects Key Generation
CVE-2021-22212

4MEDIUM

Key Information:

Vendor

Ntpsec

Status
Vendor
CVE Published:
8 June 2021

What is CVE-2021-22212?

In NTPsec version 1.2.0, flaws in the key generation process via ntpkeygen can lead to keys containing '#' characters, which are incorrectly parsed by the ntpd service. This may result in the keys being truncated or padded, leading to potential usability issues for administrators. Furthermore, when AES128 keys are generated, a warning is issued which implies a shortening of the keys, thereby making them more susceptible to brute-force attacks. This vulnerability can thus pose a risk of man-in-the-middle attacks between NTP clients and servers, compromising network security.

Affected Version(s)

ntpsec =1.2.0

References

CVSS V3.1

Score:
4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maciej Zenczykowski
.