Showing posts with label GPS daemon. Show all posts
Showing posts with label GPS daemon. Show all posts

Wednesday, 24 November 2021

A bug is about to confuse a lot of computers!

 

Turning back the time some 20 years

Remember the fuss about the Y2K bug?

The US Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning to users who get the time from GPS, about a “GPS Daemon” (GPSD) bug in GPSD versions 3.20 through 3.22.

The “Y2K” bug

Prior to year 2000, lots of computer programs kept track of the year by remembering just the last two digits of the year (“99”, instead of “1999”). These programs would work correctly until the first day of the new millennium, and then revert back to 1900!

Though some computer programs don’t care what time it is, there was genuine fears that things would go horribly wrong - the power grids would shut down, planes would fall from the sky, the banking system would grind to a halt, and so on.

In the end, none of that happened because everyone received warnings well in advance and there was enough time to take action.

What’s the bug now?

In addition to telling you where you are in space, the Global Positioning System (GPS) can also tell you where you are in time. To do this, it keeps a count of the number of weeks since January 5, 1980. The main civil GPS signal broadcasts the GPS week number using a 10-bit code with a maximum value of 1,023 weeks. This means every 19.7 years, the GPS week number in the code rolls over to zero.

GPSD is a GPS service daemon for Linux, OpenBSD, Mac OS X, and Windows. It collects data from GPS receivers and makes that data accessible to computers, which can query it on TCP port 2947. It can be found on Android phones, drones, robot submarines, driverless cars, manned military equipment, and all sorts of other embedded systems.

But now a flaw in some versions of GPSD could cause time to roll back after October 23, 2021. The vulnerable versions of the code seem to subtract 1024 from the week number on October 24, 2021. This would mean Network Time Protocol (NTP) servers using the faulty GPSD versions would think it’s March 2002 instead of October 2021!

Is it going to be really bad?

For computer systems that have no other time reference this could cause a number of security issues. From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities and correlation of events. Losing track of what happened when, can lead to missed incidents.

Even worse: NTP servers using the faulty GPSD version could get thrown back almost 20 years. Many businesses and organizations rely on NTP’s. Some authentication mechanisms also rely heavily on time. Users might therefore not be able to authenticate and gain access to systems.

This could also happen where authentication relies on cookies. Websites and services relying on expiring cookies do not respond well to cookies from twenty years in the future.

What to do

Since the affected GPSD versions are 3.20 through 3.22 users should upgrade to version 3.23.1. Organizations that use GPS appliances or rely on GPSD are urged to check if GPSD is being utilized anywhere in the infrastructure and check its corresponding version. An upgrade to GPSD may be required.

If you are a system administrators you’d do well to make a note of the date October 24, 2021. If systems start to have authentication issues after that, it could be due to a mismatch in date and time.