NTP service vulnerable to internal overflow if date / time offset is greater than 34 years

2004-03-05T00:00:00
ID VU:584606
Type cert
Reporter CERT
Modified 2004-03-05T00:00:00

Description

Overview

NTP (Network TIme Protocol) contains an integer overflow vulnerability that may lead to clients receiving an incorrect date/time offset.

Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. The server will miscalculate the offset reply, if it receives a request from an NTP client containing a date that is more or less than 34 years of the server's date.

This offset is a 64-bit value, with 32 bits representing whole seconds, and 32 bits representing fractions of a second . The 34-year limit is imposed by the use of a 32-bit signed integer.

The NTP server performs a series of calculations, accounting for transmission delay and computing time, resulting in a value which represents the difference between the NTP server time and the requesting machine's time.

The packet sent back to the client is a date/time offset, which is then used to update the client's date/time.


Impact

Clients making requests of an NTP server and supplying a date/time that is more than 34 years in the future (or past) from the NTP server date/time will receive an incorrect date/time offset from the server, resulting in an incorrect date/time on the client.

There is no known impact to the NTP server.


Solution

NTPd Version 4 resolves this issue.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
NTP.org| | -| 05 Mar 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.eecis.udel.edu/~mills/ntp.html>
  • <http://www.eecis.udel.edu/~mills/time.html>
  • <http://www.eecis.udel.edu/~mills/y2k.html>

Credit

Thanks to David L. Mills of NTP.org for reporting this vulnerability.

This document was written by Robert D Hanson.

Other Information

  • CVE IDs: Unknown
  • Date Public: 22 Jan 2004
  • Date First Published: 05 Mar 2004
  • Date Last Updated: 05 Mar 2004
  • Severity Metric: 0.06
  • Document Revision: 5