{"vuid":"VU#584606","idnumber":"584606","name":"NTP service vulnerable to internal overflow if date / time offset is greater than 34 years","keywords":["NTP","internal overflow","date","time","34 years"],"overview":"NTP (Network TIme Protocol) contains an integer overflow vulnerability that may lead to clients receiving an incorrect date/time offset.","clean_desc":"NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. The server will miscalculate the offset reply, if it receives a request from an NTP client containing a date that is more or less than 34 years of the server's date. This offset is a 64-bit value, with 32 bits representing whole seconds, and 32 bits representing fractions of a second . The 34-year limit is imposed by the use of a 32-bit signed integer. The NTP server performs a series of calculations, accounting for transmission delay and computing time, resulting in a value which represents the difference between the NTP server time and the requesting machine's time. The packet sent back to the client is a date/time offset, which is then used to update the client's date/time.","impact":"Clients making requests of an NTP server and supplying a date/time that is more than 34 years in the future (or past) from the NTP server date/time will receive an incorrect date/time offset from the server, resulting in an incorrect date/time on the client. There is no known impact to the NTP server.","resolution":"NTPd Version 4 resolves this issue.","workarounds":"","sysaffected":"","thanks":"Thanks to David L. Mills of NTP.org for reporting this vulnerability.","author":"This document was written by Robert D Hanson.","public":["http://www.eecis.udel.edu/~mills/ntp.html","http://www.eecis.udel.edu/~mills/time.html","http://www.eecis.udel.edu/~mills/y2k.html"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-01-23T16:16:48Z","publicdate":"2004-01-22T00:00:00Z","datefirstpublished":"2004-03-05T19:06:03Z","dateupdated":"2004-03-05T19:06:27Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"10","cam_impact":"1","cam_easeofexploitation":"2","cam_attackeraccessrequired":"10","cam_scorecurrent":"0.05625","cam_scorecurrentwidelyknown":"0.09375","cam_scorecurrentwidelyknownexploited":"0.16875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.05625,"vulnote":null}