CVE-2018-17937 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2018-17937?

CVE-2018-17937 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of gpsd or microjson via a stack-based buffer overflow. Attackers can exploit this by sending malicious traffic to Port 2947/TCP or crafted JSON inputs. Affected systems include embedded platforms and any systems using gpsd versions 2.90 to 3.17 or microjson versions 1.0 to 1.3.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of gpsd or microjson via a stack-based buffer overflow. Attackers can exploit this by sending malicious traffic to Port 2947/TCP or crafted JSON inputs. Affected systems include embedded platforms and any systems using gpsd versions 2.90 to 3.17 or microjson versions 1.0 to 1.3.

💻 Affected Systems

Products:

gpsd
microjson

Versions: gpsd 2.90 to 3.17, microjson 1.0 to 1.3

Operating Systems: Linux, Unix-like systems, Embedded platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Default installations with gpsd listening on Port 2947/TCP are vulnerable. Embedded systems using microjson for JSON parsing are also affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Service disruption, denial of service, or limited code execution depending on system hardening.

🟢

If Mitigated

Denial of service if exploit attempts are blocked, but no code execution.

🌐 Internet-Facing: HIGH - Port 2947/TCP is exposed by default and vulnerable to unauthenticated remote attacks.

🏢 Internal Only: MEDIUM - Internal attackers could exploit via network access, but requires specific targeting.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward via network traffic or JSON input manipulation. Public advisories and references indicate active exploitation awareness.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: gpsd 3.18+, microjson 1.4+

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-18-310-01

Restart Required: Yes

Instructions:

1. Update gpsd to version 3.18 or later. 2. Update microjson to version 1.4 or later. 3. Restart the gpsd service or affected applications.

🔧 Temporary Workarounds

Block Port 2947/TCP

linux

Prevent external access to the vulnerable service using firewall rules.

sudo iptables -A INPUT -p tcp --dport 2947 -j DROP

Disable gpsd Service

linux

Stop and disable the gpsd service if not required.

sudo systemctl stop gpsd
sudo systemctl disable gpsd

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems.
Use application firewalls or intrusion prevention systems to block malicious JSON inputs.

🔍 How to Verify

Check if Vulnerable:

Check gpsd version with 'gpsd --version' or microjson version in application dependencies.

Check Version:

gpsd --version

Verify Fix Applied:

Confirm version is gpsd 3.18+ or microjson 1.4+ and service is restarted.

📡 Detection & Monitoring

Log Indicators:

Unusual connections to Port 2947
gpsd service crashes or abnormal restarts

Network Indicators:

Malformed JSON traffic to Port 2947/TCP
Exploit attempts from unknown sources

SIEM Query:

source_port:2947 AND (payload_contains:"buffer overflow" OR abnormal_packet_size)

📊 Metadata

CVE ID: CVE-2018-17937

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 13, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/107029 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-310-01 Third Party Advisory,US Government Resource
https://lists.debian.org/debian-lts-announce/2019/03/msg00040.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00024.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202009-17 Third Party Advisory
http://www.securityfocus.com/bid/107029 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-310-01 Third Party Advisory,US Government Resource
https://lists.debian.org/debian-lts-announce/2019/03/msg00040.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00024.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202009-17 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-17937, you might also want to check these: