Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement
> Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > > I've got a question about recently discovered serious > > vulnerabilities in certain TCP stack implementations, designated as > > AMNESIA:33 (as far as I could follow the recently made > > announcements and statements, please see, for instance, > > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > > > All mentioned open-source TCP stacks seem not to be related in any > > way with freeBSD or any derivative of the FreeBSD project, but I do > > not dare to make a statement about that. > > > > My question is very simple and aimes towards calming down my > > employees requests: is FreeBSD potentially vulnerable to this newly > > discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE > > and 13-CURRENT, latest incarnations, of course, should be least > > vulnerable ...). > > I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot > make any official statement as there are too many to even start to > investigate them. > > Also of note is that there were three other IP stacks that were NOT > vulnerable to ANY new security issues in that report as well, so it > isn't like the report found security vulnerability in every TCP/IP > stack they tested. > > The best way to have confidence is to pay people to analyize and > verify that the FreeBSD TCP/IP stack is secure, just as it is w/ > any critical code that a company runs. > Thank you very much for responding. I'll take all comments into consideration; I think one thing is clear, that even if I'd had to report that freeBSD is vulnerable, I'd have to wait for a pacth. Since my personal patch policy on RELENG for FreeBSD is to patch/update as fast as possible after a SA has been published, I'd have to wait for the patches. CURRENT and STABLE systems are updated frequently - on a weekly basis, if necessary. Kind regards, O. Hartmann pgpRI55aIgaDW.pgp Description: OpenPGP digital signature
Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement
On Wed, Dec 09, 2020 at 06:58:49AM +0100, Hartmann, O. wrote: > Hello, > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). Look at it this way: If it is/was, what are you going to do about it? [Please don't take this as a personal attack. I get the same kind of questions you are by my bosses and auditors, who live in their own little world where they think there is a guarantee for everything and the only real-world cost is an appropriately asked question.] If you've got an upgrade policy that rolls out patches when FreeBSD publishes them (or tracking -STABLE or -CURRENT in such a way that they're going to be incorporated with some parity with the security and errata notifications) and you're keeping your packages up to date, you're doing pretty good. If there is a problem, you'll roll out the fixes when they're available. You may not even know they're in there yet. If you've got a menagerie of FreeBSD-based IoT-style devices that aren't getting regular updates and this bug has shown you the tip of the iceberg to all the other potential problems, then you probably have issues. Now an attack against the kernel TCP/IP stack is universally bad (possibly bypassing any firewall, probably not requiring authentication, probably gaining the kernel privileges, etc), plenty of other problems are a subset of just as bad. Assuming that the Amnesia:33 reported responsibly disclosed, if FreeBSD was affected we'd probably have fixes out (pre-publication). On 12/8, you just got patch released for FreeBSD-SA-20:33.openssl, and that is burned into a lot of OS pieces. Have you pushed those changes out yet? Two paragraphs up, I basically asked a policy question. This paragraph, I'm basically asking you an implementation question: You had a policy, did it work? Did anything get missed? Can someone audit that? -CURRENT and -STABLE tend to get patches (and, potentially, problems) before -RELENG does, but sometime that's a natural process of the patches discovering the problems that need put into -RELENG. It's always nice to see a bug report for -RELENG and then tracking down the revision and finding out you've been patched for a while now. On the other hand, -STABLE gets daily patches and you probably wouldn't want to have a production patch cycles with that kind of frequently. [Personally, I tend to update -STABLE/-CURRENT when I see a "Security:" tag with a CVE reference, semi-weekly, or when I see something that looks alarming or interesting and -RELENG when it gets a patch.] ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement
Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot make any official statement as there are too many to even start to investigate them. Also of note is that there were three other IP stacks that were NOT vulnerable to ANY new security issues in that report as well, so it isn't like the report found security vulnerability in every TCP/IP stack they tested. The best way to have confidence is to pay people to analyize and verify that the FreeBSD TCP/IP stack is secure, just as it is w/ any critical code that a company runs. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." signature.asc Description: PGP signature
Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement
I'm not posting as someone in-the-know about the state of the FreeBSD stack --- I trust the security team to divulge things as required, BUT ... ... the examples of vulnerable things in that article to reference lead me to conclude that the stacks in question are "libraries" ... likely, but not necessarily, written in C for systems running in an operating system-less environment. The easiest way to think about this is to look at the "at mega" line (also known as arduino). This is an 8-bit processor and the C development kit allows you to link in all kinds of stuff --- from filesystems and micro-sd card support to wifi and IP/IPv6 support. The same libraries are used when the target is a more powerful ARM chip --- but one similarly running without something as full-fledged as an OS --- or even when a very small vestige of an OS includes these libraries. You could think of these libraries like "what if someone wrote an IP stack for the commodore 64 and then also ported it to the Amiga" ... as a computer without an operating system and then a port to a computer with an operating system with no concept of networking. At any rate, these, in general, do not even resemble the network stack in FreeBSD... or indeed any other full fledged operating system. Hopfully this tidbit helps in some small way. On Wed, Dec 9, 2020 at 12:59 AM Hartmann, O. wrote: > Hello, > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/ > ). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). > > Thanks in advance, > > O. Hartmann > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
AMNESIA:33 and FreeBSD TCP/IP stack involvement
Hello, I've got a question about recently discovered serious vulnerabilities in certain TCP stack implementations, designated as AMNESIA:33 (as far as I could follow the recently made announcements and statements, please see, for instance, https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). All mentioned open-source TCP stacks seem not to be related in any way with freeBSD or any derivative of the FreeBSD project, but I do not dare to make a statement about that. My question is very simple and aimes towards calming down my employees requests: is FreeBSD potentially vulnerable to this newly discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, latest incarnations, of course, should be least vulnerable ...). Thanks in advance, O. Hartmann pgp2PZ4NwDjdO.pgp Description: OpenPGP digital signature