Test ID:	1.3.6.1.4.1.25623.1.0.114365
Category:	General
Title:	NTPsec < 1.2.1 Improper Filtering Vulnerability
Summary:	NTPsec is prone to an improper filtering vulnerability.
Description:	Summary: NTPsec is prone to an improper filtering vulnerability. Vulnerability Insight: ntpkeygen can generate keys that ntpd fails to parse. NTPsec allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them, but for other types there is no message as any length can be used for the legacy MAC. The key file is normally only writable by administrators. Affected Software/OS: NTPsec versions prior to 1.2.1. Solution: Update to version 1.2.1 or later. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-22212 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22212.json https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3GIT2HYL5BQXPGKI6ZDNG473IEQ5WQF2/ https://bugzilla.redhat.com/show_bug.cgi?id=1955859 https://gitlab.com/NTPsec/ntpsec/-/issues/699
Copyright	Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.