Source: cve@mitre.org
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
GPSD, a daemon for handling GPS data, is vulnerable to a Denial of Service (DoS) attack due to an integer underflow in its NAVCOM packet parsing. This flaw allows an attacker to send a crafted packet, causing the service to consume 100% CPU and become unresponsive, effectively shutting down GPS data processing.
Step 1: Packet Injection: An attacker crafts a malicious NAVCOM packet. The critical aspect of this packet is a byte value (c) in a specific position that, when subtracted by 4, results in an underflow.
Step 2: Vulnerable Function Call: The crafted packet is sent to the gpsd service, triggering the nextstate() function in gpsd/packet.c to process the NAVCOM packet.
Step 3: Length Calculation: Inside nextstate(), the vulnerable line lexer->length = (size_t)c - 4 is executed. Because c is less than 4, an underflow occurs.
Step 4: Length Overwrite: The underflow sets lexer->length to a very large value, effectively representing a huge payload size.
Step 5: Parsing Loop: The parser enters a loop, attempting to read and process the payload based on the inflated lexer->length value.
Step 6: CPU Exhaustion: The loop consumes excessive CPU resources as it tries to read a massive amount of data that doesn't exist, leading to 100% CPU utilization.
Step 7: Denial of Service: The gpsd service becomes unresponsive, effectively denying service to legitimate GPS data consumers.
The vulnerability lies within the nextstate() function in gpsd/packet.c. The code calculates the payload length using lexer->length = (size_t)c - 4 without validating that c is greater than or equal to 4. If c is less than 4, an integer underflow occurs, resulting in lexer->length being set to a very large value (close to SIZE_MAX). The subsequent parsing loop attempts to read a massive amount of data, leading to excessive CPU usage and a DoS. The root cause is a missing bounds check on the input byte c before performing the subtraction, allowing for an uncontrolled value to be used in the length calculation. This is not a buffer overflow directly, but the resulting large length value causes the parser to attempt to read far beyond the intended boundaries, effectively leading to a similar outcome.
While no specific APTs are known to be actively exploiting this vulnerability at this time, the potential for DoS makes it attractive to various threat actors. The impact on critical infrastructure that relies on GPS data (e.g., navigation, timing, and synchronization) could make it a target for state-sponsored actors. This vulnerability is not currently listed on the CISA KEV catalog, but it is a likely candidate given its potential impact.
Network Intrusion Detection Systems (NIDS) can be configured to detect anomalous NAVCOM packet sizes or malformed packets. Specifically, look for packets where the payload length field is unusually large.
Monitor CPU utilization of the gpsd process. A sustained 100% CPU usage by gpsd is a strong indicator of a potential attack.
Analyze gpsd logs for error messages related to packet parsing or memory allocation. Look for indications of large buffer sizes or unexpected data lengths.
Implement host-based intrusion detection systems (HIDS) to monitor file integrity and process behavior. Look for changes to the gpsd binary or unusual process activity.
Monitor network traffic for unusual patterns, such as a sudden increase in NAVCOM packet volume or packets originating from unexpected sources.
Upgrade to gpsd version ffa1d6f40bca0b035fc7f5e563160ebb67199da7 or later, which includes a fix for the vulnerability.
Implement input validation to ensure that the byte value c used in the length calculation is greater than or equal to 4. This can be done by adding a check before the subtraction operation.
Apply rate limiting to NAVCOM packet processing to mitigate the impact of a DoS attack. Limit the number of packets processed per unit of time.
Monitor the gpsd service and related infrastructure for signs of compromise or unusual activity.
Consider using a Web Application Firewall (WAF) or other network security devices to filter malicious traffic.