1. Home
  2. CVE Database
  3. CVE-2021-22212
MEDIUM · 4.0

CVE-2021-22212

ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely,...

Vulnerability Description

ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them.

CVSS Score

4.0

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
NtpsecNtpsec1.2.0
FedoraprojectFedora34

Related Weaknesses (CWE)

CWE-327

References

FAQ

What is CVE-2021-22212?

CVE-2021-22212 is a vulnerability with a CVSS score of 4.0 (MEDIUM). ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely,...

How severe is CVE-2021-22212?

CVE-2021-22212 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-22212?

Check the references section above for vendor advisories and patch information. Affected products include: Ntpsec Ntpsec, Fedoraproject Fedora.