7.4

CVE-2021-22212

ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NtpsecNtpsec Version1.2.0
FedoraprojectFedora Version34
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.334
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 5.8 8.6 4.9
AV:N/AC:M/Au:N/C:P/I:P/A:N
cve@gitlab.com 4 0.3 3.6
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

https://bugzilla.redhat.com/show_bug.cgi?id=1955859
Patch
Third Party Advisory
Issue Tracking
https://gitlab.com/NTPsec/ntpsec/-/issues/699
Patch
Third Party Advisory
Issue Tracking