Dependency on vulnerable third-party component in ntpd-rs - #VU127485

 

Dependency on vulnerable third-party component in ntpd-rs - #VU127485

Published: August 24, 2023 / Updated: April 24, 2026


Vulnerability identifier: #VU127485
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-1395
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: Project Pendulum
Affected software:
ntpd-rs

Detailed vulnerability description

The vulnerability allows a remote attacker to cause excessive cpu usage during startup.

The vulnerability exists due to dependency on a vulnerable third-party component in the NTS key validation process when performing NTS key exchange during startup. A remote attacker can man-in-the-middle traffic to and from NTS key exchange servers to cause excessive cpu usage during startup.

Only clients configured to use NTS are vulnerable.


Remediation

Install security update from vendor's website.

Sources