CVE-2023-4012: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-4012 affects NTPsec version 1.2.2, where ntpd will crash if the server is not NTS-enabled (no certificate) and it receives an NTS-enabled client request (mode 3). The vulnerability was discovered in June 2023 and was fixed in version 1.2.2+dfsg1-2 (NVD, Debian Bug).

The vulnerability manifests as a segmentation fault in libcrypto.so when processing NTS-enabled client requests on non-NTS servers. The CVSS v3.1 base score is 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The crash occurs in the aesnisetencrypt_key function when attempting to process NTS cookies without proper server configuration (GitLab Issue).

The vulnerability results in a denial of service condition as the ntpd process crashes, disrupting time synchronization services. This is particularly impactful for systems participating in the NTP Pool project or serving as time servers for other systems (Debian Bug).

The issue has been fixed in NTPsec version 1.2.2+dfsg1-2 and 1.2.2+dfsg1-1+deb12u1. The fix involves adding a check to prevent processing NTS requests when the server is not NTS-enabled. Users should upgrade to the patched versions (Debian Bug).