CVE-2021-46873

WireGuard, such as WireGuard 0.5.3 on Windows, does not fully account for the possibility that an adversary might be able to set a victim's system time to a future value, e.g., because unauthenticated NTP is used. This can lead to an outcome in which one static private key becomes permanently useless.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html	Mailing List Third Party Advisory
https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:wireguard:wireguard:0.5.3:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

28 Mar 2025, 16:15

Type	Values Removed	Values Added
CWE		CWE-362

21 Nov 2024, 06:34

Type	Values Removed	Values Added
Summary		(es) WireGuard, como WireGuard 0.5.3 en Windows, no tiene en cuenta completamente la posibilidad de que un adversario pueda establecer la hora del sistema de una víctima en un valor futuro, por ejemplo, porque se utiliza NTP no autenticado. Esto puede llevar a un resultado en el que una clave privada estática se vuelva permanentemente inútil.
References	~~() https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html - Mailing List, Third Party Advisory~~	() https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html - Mailing List, Third Party Advisory

Information

Published : 2023-01-29 23:15

Updated : 2025-03-28 16:15

NVD link : CVE-2021-46873

Mitre link : CVE-2021-46873

CVE.ORG link : CVE-2021-46873

JSON object : View

Products Affected

microsoft

windows

wireguard

wireguard

CWE

NVD-CWE-noinfo CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2021-46873", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-01-29T23:15:08.703", "references": [{"url": "https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "WireGuard, such as WireGuard 0.5.3 on Windows, does not fully account for the possibility that an adversary might be able to set a victim's system time to a future value, e.g., because unauthenticated NTP is used. This can lead to an outcome in which one static private key becomes permanently useless."}, {"lang": "es", "value": "WireGuard, como WireGuard 0.5.3 en Windows, no tiene en cuenta completamente la posibilidad de que un adversario pueda establecer la hora del sistema de una v\u00edctima en un valor futuro, por ejemplo, porque se utiliza NTP no autenticado. Esto puede llevar a un resultado en el que una clave privada est\u00e1tica se vuelva permanentemente in\u00fatil."}], "lastModified": "2025-03-28T16:15:20.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wireguard:wireguard:0.5.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20B2F68C-BAD1-4CA0-88B2-9AD317C88BC4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}