GHSA-37xq-q42p-rv3p: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-37xq-q42p-rv3p) affects the ntpd Rust package versions prior to 0.3.7. Discovered and disclosed on August 24, 2023, this security issue is related to a dependency on a vulnerable third-party component (webpki) that can cause expensive key validation processes during startup when Network Time Security (NTS) is used (GitHub Advisory).

The vulnerability has been assigned a CVSS score of 2.6 (Low severity) with the following characteristics: Adjacent attack vector, High attack complexity, No privileges required, User interaction required, Unchanged scope, and Low availability impact. The CVSS string is CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L. The vulnerability is categorized under CWE-1395 (GitHub Advisory).

When exploited, this vulnerability can result in excessive CPU usage during the startup phase of clients configured to use Network Time Security (NTS). The impact is specifically limited to the startup process and affects system availability (GitHub Advisory, RustSec Advisory).

Users are recommended to upgrade to version 0.3.7 of the ntpd package, which contains the patch for this vulnerability. This version addresses the underlying issue in the webpki dependency (GitHub Advisory).