OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Openntpd | Openntpd | * | 6.0 |