Dependency on vulnerable third-party component in ntpd-rs - #VU127485
Published: August 24, 2023 / Updated: April 24, 2026
Vulnerability identifier: #VU127485
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-1395
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
ntpd-rs
ntpd-rs
Software vendor:
Project Pendulum
Project Pendulum
Description
The vulnerability allows a remote attacker to cause excessive cpu usage during startup.
The vulnerability exists due to dependency on a vulnerable third-party component in the NTS key validation process when performing NTS key exchange during startup. A remote attacker can man-in-the-middle traffic to and from NTS key exchange servers to cause excessive cpu usage during startup.
Only clients configured to use NTS are vulnerable.
Remediation
Install security update from vendor's website.