CVE-2021-22212 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-22212 PUBLISHED CVSS 4 MEDIUM

ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them.

EPSS 0.13% · 32.8th percentile

Risk Scores

CVSS v3.1

4

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

EPSS Score

0.13%

32.8th percentile

Affected Products

Vendor	Product	Versions
fedoraproject	fedora	34
ntpsec	ntpsec	1.2.0
NTPsec	ntpsec	=1.2.0

Timeline

Jun 8, 2021 CVE Published
Jun 9, 2021 EPSS Score
Aug 9, 2021 EPSS Score
Oct 8, 2021 EPSS Score
Dec 8, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Feb 6, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Apr 7, 2022 EPSS Score
Jun 6, 2022 EPSS Score
Aug 7, 2022 EPSS Score
Oct 6, 2022 EPSS Score

References

Open in Interactive Console →