Incomplete Internal State Distinction in ntpsec
CVE-2023-4012

7.5HIGH

Key Information:

Vendor

Ntpsec

Status
Vendor
CVE Published:
7 August 2023

What is CVE-2023-4012?

An issue has been identified in NTPsec where the NTPD server crashes upon receiving a request from a client that is NTS-enabled, when the server itself is not configured for NTS (has no certificate). This vulnerability can be exploited in scenarios where an NTS-enabled client attempts to communicate with a non-NTS server, leading to a server crash and potential service disruption.

Affected Version(s)

ntpsec 1.2.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

R.L. Nicholas
.