A GPS bug was discovered that could cause the date to rewind back 1,024 weeks (March 2002): Scheduled to occur on October 24, 2021.

news

The U.S. government has issued a warning that a bug in a software library used by GPS navigation systems to synchronize time could cause unpatched devices to rewind the time by 1,024 weeks, or to a date in March 2002.

https://gitlab.com/gpsd/gpsd/-/issues /144

We have discovered a problem lurking in the timebase.c module since release 3.20.

This code would cause a backwards time jump of 1024 weeks from Saturday, October 16, 2021 to Sunday, March 3, 2002.

This bug is present in gpsd, a C library for adding GPS functionality to device firmware, and in dameon, which is used by NTP servers.

This library not only provides connectivity to the Global Positioning System (GPS), but can also be used to retrieve Coordinated Universal Time (UTC) from the GPS system in order to synchronize devices.

A bug was discovered in this time fetcher in July 2021.

On October 24, this bug also caused the UTC time to be rolled back 1024 weeks to March 3, 2002.

Versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021) of gpsd contain this bug.

A revised version will be released in gpsd 3.23 in August 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory on this bug and its impending effective date of October 24, 2021.

GPS Daemon (GPSD) Rollover Bug | CISA

Owners and operators of critical infrastructure and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices should be aware that the GPS Daemon (GPSD) version 3.20 (released December 31, 2019) to 3.22 (released January 8, 2021) is now available. Please note the bugs in versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021).

On October 24, 2021, Network Time Protocol (NTP) servers using the buggy GPSD versions 3.20 through 3.22 may roll back the date to March 2002, 1,024 weeks ago, resulting in systems and services becoming unavailable or unresponsive. As a result, systems and services may become unavailable or unresponsive.

CISA urges owners and operators of affected CIs to ensure that systems that use GPSD to obtain timing information from GPS devices are using GPSD version 3.23 (released August 8, 2021) or later

For more information, see “Keeping Track of Time: Network Time Protocol and a GPSD Bug.

Security researcher Yee Chin, in an article he contributed to ISC SANS on September 29, 2021, analyzed that the bug resides in a regular feature of GPS called “week rollover,” which rolls the week number back to zero every 19.7 years.

According to Yee Chin, due to “a bug in some sanity check code in GPSD”, the library is scheduled to subtract 1024 from the week number counter, effectively rewinding time.

NTP servers are the most susceptible to this bug, as some networks and devices may migrate to 2002 on October 24, 2021, and cron jobs and scheduled tasks are likely to go haywire.

Comments

タイトルとURLをコピーしました