Main Vulnerability Database SB2021060747

SB2021060747 - Fedora 34 update for ntpsec

Published: June 7, 2021

Security Bulletin ID SB2021060747

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2021-22212)

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper input validation when parsing keys generated by ntpkeygen. If the key contains a string with with '#' characters, the ntpd then either pads, shortens the key, or fails to load these keys entirely, which can result in possibility to launch MITM attacks between ntp clients and ntp servers.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2021-3ffc890685