Unrated severityNVD Advisory· Published Jun 8, 2021· Updated Aug 3, 2024

CVE-2021-22212

Description

ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them.

Affected products

osv-coords3 versions
pkg:deb/ubuntu/[email protected]+dfsg1-1ubuntu0.2?arch=source&distro=esm-apps/bionic pkg:deb/ubuntu/[email protected]+dfsg1-4build1?arch=source&distro=focal pkg:rpm/opensuse/ntpsec&distro=openSUSE%20Tumbleweed
>= 0+ 2 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 1.2.1-1.2
Ntpsec/Ntpseccpe-rescue
Range: =1.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GIT2HYL5BQXPGKI6ZDNG473IEQ5WQF2/mitrevendor-advisoryx_refsource_FEDORA
bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
gitlab.com/NTPsec/ntpsec/-/issues/699mitrex_refsource_MISC
gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22212.jsonmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000