gpsd Open Source Project

Plan PatchCVSS 8.3ICS-CERT ICSA-18-310-01Nov 6, 2018

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A stack buffer overflow exists in gpsd versions 2.90–3.17 and microjson versions 1.0–1.3 in the parsing of GPS/NMEA protocol messages. An attacker on an adjacent network can send a malicious message to the gpsd service to trigger the overflow, leading to remote code execution, data exfiltration, or denial of service via crash. High skill is required to exploit. Platforms with stack protectors and local variable reordering limit impact to availability only. No known public exploits exist at the time of this advisory.

What this means

What could happen

An attacker with network access to a device running vulnerable gpsd could execute arbitrary code on the device, potentially exfiltrating data or crashing it. If gpsd controls or monitors critical infrastructure sensors or navigation, this could disrupt operations.

Who's at risk

Any system or device running gpsd (a GPS daemon commonly used in industrial control systems, maritime navigation, time synchronization appliances, and autonomous vehicles) versions 2.90 through 3.17 is affected. This includes embedded navigation systems, precision timing modules, and any telemetry or location-aware ICS component that depends on gpsd or the microjson library. Critical infrastructure operators relying on GPS-synchronized systems (power grid, water systems, telecommunications) should assess whether gpsd is in use in their environment.

How it could be exploited

An attacker on an adjacent network sends a specially crafted message to the gpsd service (typically listening on port 2947). The vulnerability is a stack buffer overflow in microjson parsing. If gpsd is reachable from a network segment accessible to an attacker, malicious GPS/NMEA protocol messages could trigger code execution. High skill is required to construct the payload.

Prerequisites

Network access to gpsd service (default port 2947)
Adjacent network access (same LAN or directly connected network)
Device running vulnerable gpsd version 2.90–3.17 or microjson 1.0–1.3
No authentication required to send messages to gpsd

remotely exploitableno authentication requiredadjacent network access requiredstack buffer overflow (CWE-121)no patch available for versions in use (end-of-life software)high CVSS score (8.3)potential code executionlow EPSS score (3.5%) suggests low real-world exploitation probability

Exploitability

Some exploitation risk — EPSS score 3.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

gpsd:≥ 2.90 | ≤ 3.173.18 or newer

microjson:≥ 1.0 | ≤ 1.31.4 or newer

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDIsolate gpsd devices from untrusted networks using firewall rules; restrict access to port 2947 to only authorized management and operational networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade gpsd to version 3.18 or newer

HOTFIXUpgrade microjson to version 1.4 or newer

Long-term hardening

0/2

HARDENINGImplement network segmentation to place GPS/navigation devices on a separate VLAN or subnet with restricted connectivity from user networks and the internet

HARDENINGIf gpsd is exposed to the Internet or adjacent untrusted networks, disable remote access or require VPN authentication for all connections

CVEs (1)

CVE-2018-17937

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/549178e4-93ad-4633-8c01-2c07333b9a52

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.