[TheRecord] CISA warns of GPS bug that may roll back dates by 1,024 weeks, to March 2002

The US government is warning companies about a bug in a software library used to synchronize time via the GPS navigational system that will rollback time on unpatched devices by 1,024 weeks to a date of March 2002.

The bug resides in gpsd, a C library for adding GPS support to a device’s firmware.Besides providing connectivity to the Global Positioning System (GPS), the library can also be used to obtain a Coordinated Universal Time (UTC) from the GPS system in order to synchronize devices.A bug was discovered in this time retrieval feature in July this year.On October 24, the bug will trigger a rollback of UTC time to 1024 weeks in the past, to March 3, 2002.gpsd versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021) contain the bug.A fix was released in August 2021, with gpsd 3.23.

Yesterday, on Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory about this bug and its impending trigger date of October 24, this Sunday.

CISA urged operators of critical infrastructure to update devices to use the latest gpsd library versions, warning that the bug “may cause systems and services to become unavailable or unresponsive.”

Analyzing the bug in a write-up for ISC SANS on September 29, security researchers Yee Ching said the bug resides in a legitimate GPS feature called the “week rollover” that resets the week number back to zero every 19.7 years.

Yee said that due to a “bug in some sanity checking code within GPSD” the library subtracted 1024 from the week number, rather than just resetting a counter, effectively rolling back time.

The post CISA warns of GPS bug that may roll back dates by 1,024 weeks, to March 2002 appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[Public Exposure] A Discrete Affair

All posts

How much do you need to know about a person to fall in love with them? Do you need to see their face or touch their body to form a strong emotional bond? Or can you fall in love with someone over the telephone? A new reality show called “Love Is Blind” explores this question, […]

Read More

[SecurityWeek] Cybersecurity M&A Roundup for January 1-16, 2022

All posts, Security Week

Fifteen acquisitions were announced in the first half of January 2022. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[NCSC-FI News] Open source Package Analysis’ tool finds malicious npm, PyPI packages

The Open Source Security Foundation (OpenSSF), a Linux Foundation-backed initiative has released its first prototype version of the Package Analysis’ tool that aims to catch and counter malicious attacks on open source registries. Source: Read More (NCSC-FI daily news followup)

Read More