Main Vulnerability Database SB2023082456

SB2023082456 - Dependency on vulnerable third-party component in ntpd-rs

Published: August 24, 2023 Updated: April 24, 2026

Security Bulletin ID SB2023082456

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Dependency on vulnerable third-party component (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause excessive cpu usage during startup.

The vulnerability exists due to dependency on a vulnerable third-party component in the NTS key validation process when performing NTS key exchange during startup. A remote attacker can man-in-the-middle traffic to and from NTS key exchange servers to cause excessive cpu usage during startup.

Only clients configured to use NTS are vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-37xq-q42p-rv3p
https://github.com/advisories/GHSA-37xq-q42p-rv3p