ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1955859 | Issue Tracking Patch Third Party Advisory |
https://gitlab.com/NTPsec/ntpsec/-/issues/699 | Issue Tracking Patch Third Party Advisory |
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22212.json | Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GIT2HYL5BQXPGKI6ZDNG473IEQ5WQF2/ |
Configurations
History
07 Nov 2023, 03:30
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
04 Jun 2022, 03:02
Type | Values Removed | Values Added |
---|---|---|
First Time |
Fedoraproject
Fedoraproject fedora |
|
CPE | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* | |
References |
|
21 Jun 2021, 13:55
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-327 | |
CVSS |
v2 : v3 : |
v2 : 5.8
v3 : 7.4 |
CPE | cpe:2.3:a:ntpsec:ntpsec:1.2.0:*:*:*:*:*:*:* | |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1955859 - Issue Tracking, Patch, Third Party Advisory | |
References | (CONFIRM) https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22212.json - Third Party Advisory | |
References | (MISC) https://gitlab.com/NTPsec/ntpsec/-/issues/699 - Issue Tracking, Patch, Third Party Advisory |
08 Jun 2021, 13:53
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-06-08 13:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-22212
Mitre link : CVE-2021-22212
CVE.ORG link : CVE-2021-22212
JSON object : View
Products Affected
ntpsec
- ntpsec
fedoraproject
- fedora
CWE
CWE-327
Use of a Broken or Risky Cryptographic Algorithm