CISA warns of GPS bug that may roll back dates by 1,024 weeks, to March 2002
The US government is warning companies about a bug in a software library used to synchronize time via the GPS navigational system that will rollback time on unpatched devices by 1,024 weeks to a date of March 2002.
- The bug resides in gpsd, a C library for adding GPS support to a device's firmware and a dameon used on NTP servers.
- Besides providing connectivity to the Global Positioning System (GPS), the library can also be used to obtain a Coordinated Universal Time (UTC) from the GPS system in order to synchronize devices.
- A bug was discovered in this time retrieval feature in July this year.
- On October 24, the bug will trigger a rollback of UTC time to 1024 weeks in the past, to March 3, 2002.
- gpsd versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021) contain the bug.
- A fix was released in August 2021, with gpsd 3.23.
Yesterday, on Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory about this bug and its impending trigger date of October 24, this Sunday.
CISA urged operators of critical infrastructure to update devices to use the latest gpsd library versions, warning that the bug "may cause systems and services to become unavailable or unresponsive."
Analyzing the bug in a write-up for ISC SANS on September 29, security researchers Yee Ching said the bug resides in a legitimate GPS feature called the "week rollover" that resets the week number back to zero every 19.7 years.
Yee said that due to a "bug in some sanity checking code within GPSD" the library is scheduled to subtract 1024 from the week number counter this weekend, effectively rolling back time.
NTP time-keeping servers are most likely to be impacted by the bug, which may result in some networks and devices taking a trip to 2002 this weekend, which is most likely to ruin cron jobs and scheduled tasks.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.