Use of a broken or risky cryptographic algorithm in NTPsec - CVE-2021-22212

 

Use of a broken or risky cryptographic algorithm in NTPsec - CVE-2021-22212

Published: August 6, 2023


Vulnerability identifier: #VU78974
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-22212
CWE-ID: CWE-327
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: The NTPsec project
Affected software:
NTPsec

Detailed vulnerability description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper input validation when parsing keys generated by ntpkeygen. If the key contains a string with with '#' characters, the ntpd then either pads, shortens the key, or fails to load these keys entirely, which can result in possibility to launch MITM attacks between ntp clients and ntp servers.


How to mitigate CVE-2021-22212

Install updates from vendor's website.

Sources