Headline
CVE-2023-31465: FSMLabs Cybersecurity - FSMLabs
An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.
Financial networks have been the obvious targets, and disrupting clock sync in a first responder system, automated manufacturing, power plants or in data centers, could have more significant effects. For example Google has recently identified clock synchronization methods for operating global databases (James Corbett 2012) and clock sync has been widely employed in data systems for decades (Liskov 1993).
Summary
Clock synchronization is a key technology for operation and security of the entire US technology landscape, extending from financial markets through electric power distribution.
There are numerous, identified and not widely appreciated vulnerabilities in legacy clock synchronization technology, many of which are addressed in field tested solutions FSMLabs has deployed.
There are avenues for using clock synchronization to improve the security of sectors that do not normally utilize clock synchronization.
FSMLabs has in production, mature technologies that could be incorporated in a defense in depth protection strategy to address issues noted in the 2018 DOD Cyber Security Strategy.
FSMLabs has R&D projects that could be rapidly incorporated into existing systems.
Bibliography
Department of Defense. 2018. “Cyber Strategy Summary 2018.” Department of Defense. https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF.
Dougan, Cort. 2018. Method, system, and computer program product for GNSS receiver signal health and security analysis. USA Patent 10,024,975. July 17.
Dropping, Coggins, Platt. 2018. “Timing Security: Mitigating Threats in a Changing Landscape Webinar.” ATIS. May 22. https://www.atis.org/wp-content/uploads/01_news_events/webinar-pptslides/Timing-Security5222018.pdf.
- www.finra.org. https://www.finra.org/rules-guidance/rulebooks/finra-rules/6820.
—. 2019. “Clock Sync Safety and Security in Depth.” WSTS 2019 Talks. https://wsts.atis.org/wp-content/uploads/sites/9/2019/03/4_06_FSMLabs_Dougan_Security_for_Enterprise_in_Depth.pdf.
—. 2017. “Smart and dumb clients and the “so-called” Best Master Clock Algorithm in PTP IEEE 1588.” medium.com/fsmlabs. April 21. https://medium.com/fsmlabs/smart-and-dumb-clients-and-the-so-called-best-master-clock-algorithm-in-ptp-ieee-1588-6739608d4cff.
Humphreys, Todd E., et al. 2008. “”Assessing the spoofing threat: Development of a portable GPS civilian spoofer.”.” Radionavigation laboratory conference proceedings.
James Corbett, Jeffrey Dean, Michael Epstein, Andrew Fikes, Christopher Frost, J. J. Furman, Sanjay Ghemawat, Andrey Gubarev, Christopher Heiser, Peter Hochschild, Wilson Hsieh, Sebastian Kanthak, Eugene Kogan, Hongyi Li, Alexander Lloyd, Sergey Melnik,. 2012. “Spanner: Google’s globally-distributed database.” Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation. USENIX.
Liskov, Barbara. 1993. “Practical uses of synchronized clocks in distributed systems.” Distributed Computing 211-219.
Timms, Aaron. 2015. “Y2K.00001: Markets Take a Leap Second Into the Void.” Institutional Investor. June 30. https://www.institutionalinvestor.com/article/b14z9ydlpr8hln/y2k00001-markets-take-a-leap-second-into-the-void.
Yodaiken, Cort Dougan and Victor. 2017. Method, time consumer system, and computer program product for maintaining accurate time on an ideal clock. USA Patent 9,671,761. June 6.
Yodaiken, Victor. 2014. Systems and methods for detecting a security breach in a computer system. USA Patent 8,793,794. July 29.
—. 2015. “The Enterprise Profile for PTP and TimeKeeper.” www.yodaiken.com. October 1.