Turning back the time some 20 years
Remember the fuss about the Y2K bug?
The US Cybersecurity
& Infrastructure Security Agency (CISA) has issued a warning to
users who get the time from GPS, about a “GPS Daemon” (GPSD) bug
in GPSD versions 3.20 through 3.22.
The “Y2K” bug
Prior to
year 2000, lots of computer programs kept track of the year by remembering just
the last two digits of the year (“99”, instead of “1999”). These programs would
work correctly until the first day of the new millennium, and then revert back
to 1900!
Though some
computer programs don’t care what time it is, there was genuine fears that things
would go horribly wrong - the power grids would shut down, planes would fall
from the sky, the banking system would grind to a halt, and so on.
In the
end, none of that happened because everyone received warnings well in advance
and there was enough time to take action.
What’s the bug now?
In
addition to telling you where you are in space, the Global Positioning System
(GPS) can also tell you where you are in time. To do this, it keeps a count of
the number of weeks since January 5, 1980. The main civil GPS signal broadcasts
the GPS week number using a 10-bit code with a maximum value of 1,023 weeks.
This means every 19.7 years, the GPS week number in the code rolls over to
zero.
GPSD is
a GPS service daemon for Linux, OpenBSD, Mac OS X, and Windows. It collects
data from GPS receivers and makes that data accessible to computers, which can
query it on TCP port 2947. It can be found on Android phones, drones, robot
submarines, driverless cars, manned military equipment, and all sorts of other
embedded systems.
But now
a flaw in some versions of GPSD could cause time to roll back after October
23, 2021. The vulnerable versions of the code seem to subtract 1024
from the week number on October 24, 2021. This would mean Network Time Protocol
(NTP) servers using the faulty GPSD versions would think it’s March 2002
instead of October 2021!
Is it going to be really bad?
For
computer systems that have no other time reference this could cause a number of
security issues. From the perspective of incident handling and incident
response, well-synchronized time across systems facilitates log analysis,
forensic activities and correlation of events. Losing track of what happened
when, can lead to missed incidents.
Even
worse: NTP servers using the faulty GPSD version could get thrown back almost
20 years. Many businesses and organizations rely on NTP’s. Some authentication
mechanisms also rely heavily on time. Users might therefore not be able to
authenticate and gain access to systems.
This could
also happen where authentication relies on cookies. Websites and services
relying on expiring cookies do not respond well to cookies from twenty years in
the future.
What to do
Since
the affected GPSD versions are 3.20 through 3.22 users should upgrade to
version 3.23.1. Organizations that use GPS appliances or rely on GPSD are
urged to check if GPSD is being utilized anywhere in the infrastructure and
check its corresponding version. An upgrade to GPSD may be required.
If you
are a system administrators you’d do well to make a note of the date October
24, 2021. If systems start to have authentication issues after that, it could
be due to a mismatch in date and time.
