CVE-2021-22212

Name of the Vulnerable Software and Affected Versions NTPsec version 1.2.0

Description The issue is related to the ntpkeygen component of the NTPsec protocol implementation, which can generate keys that ntpd fails to parse. This occurs when ntpkeygen generates keys containing '#' characters, causing ntpd to either pad, shorten the key, or fail to load these keys entirely. The result is that administrators may not be able to use the keys as expected, or the keys may be shorter than expected and easier to brute-force, potentially leading to man-in-the-middle (MITM) attacks between ntp clients and ntp servers.

Recommendations For NTPsec version 1.2.0, consider avoiding the use of keys generated with '#' characters until a patch is available. As a temporary workaround, restrict the generation of keys to those that do not contain '#' characters to minimize the risk of exploitation. Additionally, monitor ntpd warnings for short AES128 keys being padded, and take necessary measures to ensure key security. At the moment, there is no information about a newer version that contains a fix for this vulnerability.