CVE-2009-0021 — Improper Authentication in NTP

CWE-287 — Improper Authentication8 documents8 sources

Severity

5.0MEDIUMNVD

OSV5.8

EPSS

2.2%

top 15.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Debian NTP

Timeline

PublishedJan 7

Latest updateMay 2

Description

NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/ntp< ntp 1:4.2.4p4+dfsg-8 (bullseye)

▶Debianntp/ntp< 1:4.2.4p4+dfsg-8

▶NVDntp/ntp4.2.4p4+5

🔴Vulnerability Details

GHSA

GHSA-4q4m-qx69-vcgq: NTP 4↗2022-05-02

▶

OSV

CVE-2009-0021: NTP 4↗2009-01-07

▶

📋Vendor Advisories

BSD

FreeBSD-SA-09:03.ntpd: ntpd cryptographic signature bypass↗2009-01-13

▶

Ubuntu

NTP vulnerability↗2009-01-08

▶

Red Hat

ntp incorrectly checks for malformed signatures↗2009-01-07

▶

Debian

CVE-2009-0021: ntp - NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the ...↗2009

▶

💬Community

Bugzilla

CVE-2009-0021 ntp incorrectly checks for malformed signatures↗2008-12-17

▶