Source: cve@mitre.org
gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.
gpsd, a daemon for handling GPS data, is vulnerable to a critical heap-based out-of-bounds write due to improper input validation in the driver_nmea2000.c file. This flaw allows an attacker to overwrite memory by sending a crafted NMEA2000 message, potentially leading to denial of service (DoS) or remote code execution (RCE).
Step 1: Target Identification: The attacker identifies a system running a vulnerable version of gpsd.
Step 2: Payload Creation: The attacker crafts a malicious NMEA2000 PGN 129540 packet. This packet includes a satellite count greater than 184, triggering the vulnerability.
Step 3: Packet Delivery: The attacker sends the crafted NMEA2000 packet to the gpsd service, typically via a network connection or a serial port connected to a GPS device.
Step 4: Vulnerability Trigger: The hnd_129540 function processes the malicious packet. Due to the missing bounds check, the code attempts to write satellite data beyond the allocated memory for the skyview array.
Step 5: Memory Corruption: The out-of-bounds write corrupts adjacent memory regions on the heap.
Step 6: Exploitation (DoS/RCE): The memory corruption can lead to a crash (DoS) or, if the attacker has sufficient control over the overwritten data, the execution of arbitrary code (RCE). The specific impact depends on the memory layout and the attacker's payload.
The vulnerability lies within the hnd_129540 function in drivers/driver_nmea2000.c. This function processes NMEA2000 PGN 129540 packets, which contain satellite information. The flaw is a missing bounds check on the user-supplied satellite count. The code fails to verify if the provided satellite count exceeds the size of the skyview array (184 elements). This leads to a heap-based buffer overflow when the code attempts to write satellite data into the skyview array, allowing an attacker to overwrite adjacent memory regions. This memory corruption can lead to a crash (DoS) or, with careful crafting of the payload, the execution of arbitrary code.
While no specific APTs are known to be actively exploiting this vulnerability yet, the potential for RCE makes it attractive to various threat actors. Given the nature of the vulnerability, it's likely to be exploited by both skilled attackers and script kiddies once a PoC is available. CISA KEV status: Not yet listed.
Monitor network traffic for NMEA2000 PGN 129540 packets with unusually high satellite counts (e.g., greater than 184).
Analyze gpsd logs for crashes or unexpected behavior related to the driver_nmea2000.c file.
Implement intrusion detection system (IDS) rules to detect malicious NMEA2000 packets based on packet characteristics (e.g., satellite count, data format).
Monitor system memory usage for unusual patterns or spikes that could indicate memory corruption.
Use memory analysis tools (e.g., Valgrind, AddressSanitizer) to detect out-of-bounds writes during testing and development.
Upgrade gpsd to a version that includes the fix (commit dc966aa or later).
Implement input validation to ensure the satellite count in NMEA2000 PGN 129540 packets is within the valid range (0-184).
Apply least privilege principles to the gpsd service, limiting its access to only necessary resources.
Harden the system by disabling unnecessary services and features.
Regularly monitor system logs for suspicious activity.
Implement a web application firewall (WAF) to filter malicious traffic.