SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   ntp Vendors:   Mills, David L. et al
Network Time Protocol (NTP) Server Integer Overflow May Return the Incorrect Time
SecurityTracker Alert ID:  1009336
SecurityTracker URL:  http://securitytracker.com/id/1009336
CVE Reference:   CAN-2004-0657   (Links to External Site)
Updated:  Jul 14 2004
Original Entry Date:  Mar 6 2004
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.0
Description:   A potential vulnerability was reported in the 'ntp' Network Time Protocol (NTP) implementation. An ntp server may return the wrong time.

David L. Mills reported an integer overflow in the Network Time Protocol (NTP) service. If the client-supplied date/time offset is greater than 34 years relative to the server's time, the server will miscalculate the offset reply, the report said.

US-CERT has issued Vulnerability Note VU#584606 regarding this vulnerability.

Impact:   An ntp client may receive the incorrect time from an affected NTP server.
Solution:   The vendor has released a fixed version (4.0 and later versions), available at:

http://www.ntp.org/downloads.html

Vendor URL:  www.ntp.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 3 2004 (HP Issues Fix for Tru64) Network Time Protocol (NTP) Server Integer Overflow May Return the Incorrect Time
HP has issued a fix for HP Tru64 UNIX.



 Source Message Contents

Date:  Fri, 05 Mar 2004 15:24:27 -0500
Subject:  http://www.eecis.udel.edu/~mills/time.html


http://www.eecis.udel.edu/~mills/time.html

David L. Mills has reported an integer overflow in the Network Time Protocol (NTP) 
service.  If the client-supplied date/time offset is greater than 34 years relative to the 
server's time, the server will reportedly miscalculate the offset reply, the report said.

A temporary solution is available in version 4, available at:

http://www.ntp.org/downloads.html

US-CERT has issued Vulnerability Note VU#584606 regarding this vulnerability.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC