Network Time Protocol (NTP) Server Integer Overflow May Return the Incorrect Time
|
|
SecurityTracker Alert ID: 1009336 |
|
SecurityTracker URL: http://securitytracker.com/id/1009336
|
|
CVE Reference:
CAN-2004-0657
(Links to External Site)
|
Updated: Jul 14 2004
|
Original Entry Date: Mar 6 2004
|
Impact:
Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 4.0
|
Description:
A potential vulnerability was reported in the 'ntp' Network Time Protocol (NTP) implementation. An ntp server may return the wrong time.
David L. Mills reported an integer overflow in the Network Time Protocol (NTP) service. If the client-supplied date/time offset is greater than 34 years relative to the server's time, the server will miscalculate the offset reply, the report said.
US-CERT has issued Vulnerability Note VU#584606 regarding this vulnerability.
|
Impact:
An ntp client may receive the incorrect time from an affected NTP server.
|
Solution:
The vendor has released a fixed version (4.0 and later versions), available at:
http://www.ntp.org/downloads.html
|
Vendor URL: www.ntp.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 05 Mar 2004 15:24:27 -0500
Subject: http://www.eecis.udel.edu/~mills/time.html
|
http://www.eecis.udel.edu/~mills/time.html
David L. Mills has reported an integer overflow in the Network Time Protocol (NTP)
service. If the client-supplied date/time offset is greater than 34 years relative to the
server's time, the server will reportedly miscalculate the offset reply, the report said.
A temporary solution is available in version 4, available at:
http://www.ntp.org/downloads.html
US-CERT has issued Vulnerability Note VU#584606 regarding this vulnerability.
|
|
