OTPulse
FeedAboutContact

gpsd Open Source Project

Plan Patch8.3ICS-CERT ICSA-18-310-01Nov 6, 2018
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A stack buffer overflow exists in gpsd versions 2.90–3.17 and microjson versions 1.0–1.3 in the parsing of GPS/NMEA protocol messages. An attacker on an adjacent network can send a malicious message to the gpsd service to trigger the overflow, leading to remote code execution, data exfiltration, or denial of service via crash. High skill is required to exploit. Platforms with stack protectors and local variable reordering limit impact to availability only. No known public exploits exist at the time of this advisory.

What this means
What could happen
An attacker with network access to a device running vulnerable gpsd could execute arbitrary code on the device, potentially exfiltrating data or crashing it. If gpsd controls or monitors critical infrastructure sensors or navigation, this could disrupt operations.
Who's at risk
Any system or device running gpsd (a GPS daemon commonly used in industrial control systems, maritime navigation, time synchronization appliances, and autonomous vehicles) versions 2.90 through 3.17 is affected. This includes embedded navigation systems, precision timing modules, and any telemetry or location-aware ICS component that depends on gpsd or the microjson library. Critical infrastructure operators relying on GPS-synchronized systems (power grid, water systems, telecommunications) should assess whether gpsd is in use in their environment.
How it could be exploited
An attacker on an adjacent network sends a specially crafted message to the gpsd service (typically listening on port 2947). The vulnerability is a stack buffer overflow in microjson parsing. If gpsd is reachable from a network segment accessible to an attacker, malicious GPS/NMEA protocol messages could trigger code execution. High skill is required to construct the payload.
Prerequisites
  • Network access to gpsd service (default port 2947)
  • Adjacent network access (same LAN or directly connected network)
  • Device running vulnerable gpsd version 2.90–3.17 or microjson 1.0–1.3
  • No authentication required to send messages to gpsd
remotely exploitableno authentication requiredadjacent network access requiredstack buffer overflow (CWE-121)no patch available for versions in use (end-of-life software)high CVSS score (8.3)potential code executionlow EPSS score (3.5%) suggests low real-world exploitation probability
Exploitability
Moderate exploit probability (EPSS 3.5%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
gpsd:≥ 2.90 | ≤ 3.173.18 or newer
microjson:≥ 1.0 | ≤ 1.31.4 or newer
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDIsolate gpsd devices from untrusted networks using firewall rules; restrict access to port 2947 to only authorized management and operational networks
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade gpsd to version 3.18 or newer
HOTFIXUpgrade microjson to version 1.4 or newer
Long-term hardening
0/2
HARDENINGImplement network segmentation to place GPS/navigation devices on a separate VLAN or subnet with restricted connectivity from user networks and the internet
HARDENINGIf gpsd is exposed to the Internet or adjacent untrusted networks, disable remote access or require VPN authentication for all connections
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/549178e4-93ad-4633-8c01-2c07333b9a52
gpsd Open Source Project | CVSS 8.3 - OTPulse