Description
ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.
References (14)
Scores
CVSS v3
7.5
EPSS
0.1656
EPSS Percentile
94.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-331
Status
published
Products (26)
debian/debian_linux
7.0
debian/debian_linux
8.0
fedoraproject/fedora
21
ntp/ntp
4.2.8 p1 (3 CPE variants)
ntp/ntp
4.3.0
ntp/ntp
4.3.1
ntp/ntp
4.3.2
ntp/ntp
4.3.3
ntp/ntp
4.3.4
ntp/ntp
4.3.5
... and 16 more
Published
Aug 09, 2017
Tracked Since
Feb 18, 2026