[SANS ISC] Keeping Track of Time: Network Time Protocol and a GPSD Bug, (Wed, Sep 29th)

The Network Time Protocol (NTP) has been critical in ensuring time is accurately kept for various systems businesses and organizations rely on. Authentication mechanisms such as Time-based One-Time Password (TOTP) and Kerberos also rely heavily on time. As such, should there be a severe mismatch in time, users would not be able to authenticate and gain access to systems. From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities and correlation of events. Depending on operational requirements, organizations may choose to utilize public NTP servers for their time synchronization needs. For organizations that require higher time accuracy, they could opt for Global Positioning Systems (GPS) appliances and use daemons such as GPSD [1] to extract time information from these GPS appliances.

A reader recently highlighted to us a bug in the GPSD project that could cause time to rollback in October 2021 [2]. Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers [3]. The next occurrence should have been in November 2038 [3], but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021 [4]. This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021 [2].

The affected versions of GPSD are versions 3.20-3.22 [2]. The maintainer of GPSD, Gary E. Miller, indicated that users should upgrade to version 3.23.1 (released on September 21, 2021) as older versions (such as 3.19 and 3.20) are unsupported and had bugs [5]. For organizations that are using GPS appliances or rely on GPSD, it is recommended to check if GPSD is being utilized anywhere in the infrastructure and check its corresponding version. It is likely that an upgrade to GPSD will be required if no recent upgrades were performed. It is also recommended that blue teams keep a mental note of the date October 24, 2021. If systems that had been authenticating normally start to have authentication issues after October 24 2021, it could be due to a mismatched date and time (likely March 2002) caused by time synchronization with an errant NTP server running a bugged version of GPSD.

Based on the date where the bug will be triggered on bugged versions of GPSD, there is still about 3 weeks before the week of October 24, 2021. System owners and administrators should be in the nick of time (no pun intended!) if they start checking and patch GPSD now.

[1] https://gpsd.gitlab.io/gpsd/
[2] https://gitlab.com/gpsd/gpsd/-/issues/144
[3] https://www.gps.gov/support/user/rollover/
[4] https://gitlab.com/gpsd/gpsd/-/issues/144#note_633479883
[5] https://gitlab.com/gpsd/gpsd/-/issues/144#note_689396224

Yee Ching Tok, ISC Handler
Personal Site

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] The Week in Ransomware – July 9th 2021 – A flawed attack

This week’s news focuses on the aftermath of REvil’s ransomware attack on MSPs and customers using zero-day vulnerabilities in Kaseya VSA. The good news is that it has not been as disruptive as we initially feared. […] Source: Read More (BleepingComputer)

Read More

Daily NCSC-FI news followup 2020-01-26

Teenagers today. Can’t take them anywhere, eh? 18-year-old kid accused of $50m SIM-swap cryptocurrency heist www.theregister.co.uk/2020/01/25/security_roundup/ Also, Cisco, Citrix emit patches, US army advises using Signal Patching the Citrix ADC Bug Doesn’t Mean You Weren’t Hacked www.bleepingcomputer.com/news/security/patching-the-citrix-adc-bug-doesnt-mean-you-werent-hacked/ Citrix on Friday released the final patch for the critical vulnerability tracked as CVE-2019-19781 in its affected appliances. […]

Read More

Daily NCSC-FI news followup 2020-06-11

Hackers breached A1 Telekom, Austria’s largest ISP www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp/ A1 needed more than six months to kick the hackers off its network. Whsitleblower claims the intruders were Chinese hackers. Snake Ransomware Delivers Double-Strike on Honda, Energy Co. threatpost.com/snake-ransomware-honda-energy/156462/ The ICS/SCADA-focused malware is likely behind a duo of attacks this week, on Honda and a South American […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.