Hi Christian: Chris Leech just merged in the mitigations for these CVEs and tagged a new release.
These CVEs were all related to the uip package that iscsiuio uses. But in fact iscsiuio only uses uip for network "services", such as DHCP, ARP, etc, and not for normal TCP/IP communications. So the risk was, honestly, never very high. I believe all the CVEs were published 12/8 (or so), but we were working on them for a while before that. P.S. Thanks to Chris for doing the mitigation work and research, and then merging/publishing the result! On Thursday, December 17, 2020 at 10:41:06 AM UTC-8 Christian Fischer wrote: > Hi, > > the following CVEs related to the recent AMNESIA:33 vulnerabilities > affecting various open source network stack components: > > https://nvd.nist.gov/vuln/detail/CVE-2020-13987 > https://nvd.nist.gov/vuln/detail/CVE-2020-13988 > https://nvd.nist.gov/vuln/detail/CVE-2020-17437 > https://nvd.nist.gov/vuln/detail/CVE-2020-17438 > https://nvd.nist.gov/vuln/detail/CVE-2020-17439 > https://nvd.nist.gov/vuln/detail/CVE-2020-17440 > https://nvd.nist.gov/vuln/detail/CVE-2020-24334 > https://nvd.nist.gov/vuln/detail/CVE-2020-24335 (not published yet) > > While the CVEs are mentioning Contiki and / or uIP a paper [1] of the > research teams reveals this detail: > > > The open-iscsi project, which provides an implementation of the iSCSI > > protocol used by Linux distributions, such as Red Hat, Fedora, SUSE > > and Debian, also imports part of the uIP code. Again, we were able to > > detect that some CVEs apply to it. > > and > > > Some of the vendors and projects using these original stacks, such as > > open-iscsi, issued their own patches. > > Unfortunately the "some CVEs apply to it" is not further specified (not > even the CVEs for open-iscsi are listen) and i wasn't able to pinpoint > the exact details. Some sources [2] mention 2.1.12 as the fixed version > of open-iscsi (which is wrong as the latest available version is 2.1.2 > from July 2020, i have already contacted the CISA about that a few days > ago but haven't received any response yet) while others [3] mention <= > 2.1.1 as vulnerable. > > As none of the current releases listed at [4] mention the uIP > vulnerabilities in some way i would like to ask for clarification of the > following: > > - Which CVEs of uIP applies to the code base of uIP imported into > open-iscsi? > - Which releases of open-iscsi are affected? > - Which release of open-iscsi is fixing one or more of this > vulnerabilities? > > Thank you very much in advance for a response. > > Regards, > > [1] > > https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/ > [2] https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01 > [3] > > https://www.heise.de/news/Amnesia-33-Sicherheitshinweise-und-Updates-zu-den-TCP-IP-Lecks-im-Ueberblick-4984341.html > [4] https://github.com/open-iscsi/open-iscsi/releases > > -- > > Christian Fischer | PGP Key: 0x54F3CE5B76C597AD > Greenbone Networks GmbH | https://www.greenbone.net > Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 > Geschäftsführer: Dr. Jan-Oliver Wagner > -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/open-iscsi/92c2365f-197a-4ae3-a2b1-e9f544cf71b7n%40googlegroups.com.
