[SANS ISC] Keeping Track of Time: Network Time Protocol and a GPSD Bug, (Wed, Sep 29th)

The Network Time Protocol (NTP) has been critical in ensuring time is accurately kept for various systems businesses and organizations rely on. Authentication mechanisms such as Time-based One-Time Password (TOTP) and Kerberos also rely heavily on time. As such, should there be a severe mismatch in time, users would not be able to authenticate and gain access to systems. From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities and correlation of events. Depending on operational requirements, organizations may choose to utilize public NTP servers for their time synchronization needs. For organizations that require higher time accuracy, they could opt for Global Positioning Systems (GPS) appliances and use daemons such as GPSD [1] to extract time information from these GPS appliances.

A reader recently highlighted to us a bug in the GPSD project that could cause time to rollback in October 2021 [2]. Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers [3]. The next occurrence should have been in November 2038 [3], but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021 [4]. This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021 [2].

The affected versions of GPSD are versions 3.20-3.22 [2]. The maintainer of GPSD, Gary E. Miller, indicated that users should upgrade to version 3.23.1 (released on September 21, 2021) as older versions (such as 3.19 and 3.20) are unsupported and had bugs [5]. For organizations that are using GPS appliances or rely on GPSD, it is recommended to check if GPSD is being utilized anywhere in the infrastructure and check its corresponding version. It is likely that an upgrade to GPSD will be required if no recent upgrades were performed. It is also recommended that blue teams keep a mental note of the date October 24, 2021. If systems that had been authenticating normally start to have authentication issues after October 24 2021, it could be due to a mismatched date and time (likely March 2002) caused by time synchronization with an errant NTP server running a bugged version of GPSD.

Based on the date where the bug will be triggered on bugged versions of GPSD, there is still about 3 weeks before the week of October 24, 2021. System owners and administrators should be in the nick of time (no pun intended!) if they start checking and patch GPSD now.

References:
[1] https://gpsd.gitlab.io/gpsd/
[2] https://gitlab.com/gpsd/gpsd/-/issues/144
[3] https://www.gps.gov/support/user/rollover/
[4] https://gitlab.com/gpsd/gpsd/-/issues/144#note_633479883
[5] https://gitlab.com/gpsd/gpsd/-/issues/144#note_689396224

———–
Yee Ching Tok, ISC Handler
Personal Site
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] Google reveals ‘Topics’ cookie replacement, acknowledges FLoC was problematic

All posts, ZDNet

The search company’s second attempt to replace third-party cookies relies on the user’s previous three weeks of browsing history to provide what it claims is a more anonymized, transparent way of service interest-based ads. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Security team finds Crimea manifesto buried in VBA Rat using double attack vectors

All posts, ZDNet

The Malwarebytes report said a new threat actor may be targeting Russian and pro-Russian individuals. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] ZTE widens bug bounty to focus on 5G security

All posts, ZDNet

Chinese networking equipment vendor is working with bug bounty platform YesWeHack to test a range of products that include 5G networking systems, smartphones, Internet of Things devices, and cloud systems. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.