Clarification request on open-iscsi affected by uIP vulnerabilities (AMNESIA:33)
80 views
Skip to first unread message
Christian Fischer
Dec 17, 2020, 1:41:06 PM12/17/20
to open-...@googlegroups.com, secu...@debian.org
Hi,
the following CVEs related to the recent AMNESIA:33 vulnerabilities
affecting various open source network stack components:
https://nvd.nist.gov/vuln/detail/CVE-2020-13987
https://nvd.nist.gov/vuln/detail/CVE-2020-13988
https://nvd.nist.gov/vuln/detail/CVE-2020-17437
https://nvd.nist.gov/vuln/detail/CVE-2020-17438
https://nvd.nist.gov/vuln/detail/CVE-2020-17439
https://nvd.nist.gov/vuln/detail/CVE-2020-17440
https://nvd.nist.gov/vuln/detail/CVE-2020-24334
https://nvd.nist.gov/vuln/detail/CVE-2020-24335 (not published yet)
While the CVEs are mentioning Contiki and / or uIP a paper [1] of the
research teams reveals this detail:
> The open-iscsi project, which provides an implementation of the iSCSI
> protocol used by Linux distributions, such as Red Hat, Fedora, SUSE
> and Debian, also imports part of the uIP code. Again, we were able to
> detect that some CVEs apply to it.
and
> Some of the vendors and projects using these original stacks, such as
> open-iscsi, issued their own patches.
Unfortunately the "some CVEs apply to it" is not further specified (not
even the CVEs for open-iscsi are listen) and i wasn't able to pinpoint
the exact details. Some sources [2] mention 2.1.12 as the fixed version
of open-iscsi (which is wrong as the latest available version is 2.1.2
from July 2020, i have already contacted the CISA about that a few days
ago but haven't received any response yet) while others [3] mention <=
2.1.1 as vulnerable.
As none of the current releases listed at [4] mention the uIP
vulnerabilities in some way i would like to ask for clarification of the
following:
- Which CVEs of uIP applies to the code base of uIP imported into
open-iscsi?
- Which releases of open-iscsi are affected?
- Which release of open-iscsi is fixing one or more of this vulnerabilities?
Thank you very much in advance for a response.
Regards,
[1]
https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/
[2] https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01
[3]
https://www.heise.de/news/Amnesia-33-Sicherheitshinweise-und-Updates-zu-den-TCP-IP-Lecks-im-Ueberblick-4984341.html
[4] https://github.com/open-iscsi/open-iscsi/releases
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Dr. Jan-Oliver Wagner
the following CVEs related to the recent AMNESIA:33 vulnerabilities
affecting various open source network stack components:
https://nvd.nist.gov/vuln/detail/CVE-2020-13987
https://nvd.nist.gov/vuln/detail/CVE-2020-13988
https://nvd.nist.gov/vuln/detail/CVE-2020-17437
https://nvd.nist.gov/vuln/detail/CVE-2020-17438
https://nvd.nist.gov/vuln/detail/CVE-2020-17439
https://nvd.nist.gov/vuln/detail/CVE-2020-17440
https://nvd.nist.gov/vuln/detail/CVE-2020-24334
https://nvd.nist.gov/vuln/detail/CVE-2020-24335 (not published yet)
While the CVEs are mentioning Contiki and / or uIP a paper [1] of the
research teams reveals this detail:
> The open-iscsi project, which provides an implementation of the iSCSI
> protocol used by Linux distributions, such as Red Hat, Fedora, SUSE
> and Debian, also imports part of the uIP code. Again, we were able to
> detect that some CVEs apply to it.
and
> Some of the vendors and projects using these original stacks, such as
> open-iscsi, issued their own patches.
Unfortunately the "some CVEs apply to it" is not further specified (not
even the CVEs for open-iscsi are listen) and i wasn't able to pinpoint
the exact details. Some sources [2] mention 2.1.12 as the fixed version
of open-iscsi (which is wrong as the latest available version is 2.1.2
from July 2020, i have already contacted the CISA about that a few days
ago but haven't received any response yet) while others [3] mention <=
2.1.1 as vulnerable.
As none of the current releases listed at [4] mention the uIP
vulnerabilities in some way i would like to ask for clarification of the
following:
- Which CVEs of uIP applies to the code base of uIP imported into
open-iscsi?
- Which releases of open-iscsi are affected?
- Which release of open-iscsi is fixing one or more of this vulnerabilities?
Thank you very much in advance for a response.
Regards,
[1]
https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/
[2] https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01
[3]
https://www.heise.de/news/Amnesia-33-Sicherheitshinweise-und-Updates-zu-den-TCP-IP-Lecks-im-Ueberblick-4984341.html
[4] https://github.com/open-iscsi/open-iscsi/releases
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Dr. Jan-Oliver Wagner
The Lee-Man
Dec 18, 2020, 2:42:35 PM12/18/20
to open-iscsi
Hi Christian:
Chris Leech just merged in the mitigations for these CVEs and tagged a new release.
These CVEs were all related to the uip package that iscsiuio uses. But in fact iscsiuio only uses uip for network "services", such as DHCP, ARP, etc, and not for normal TCP/IP communications. So the risk was, honestly, never very high.
I believe all the CVEs were published 12/8 (or so), but we were working on them for a while before that.
P.S. Thanks to Chris for doing the mitigation work and research, and then merging/publishing the result!
Christian Fischer
Jan 6, 2021, 6:37:57 PM1/6/21
to open-iscsi
Hi,
and thanks for this summary / the clarification about the affected and fixed versions which clears up everything.
It seems there is also a new security advisory around this vulnerabilities which gives some more background information:
I have also already contacted the CISA again and asked for an update of their advisory, hope they will correct the wrong version info (2.1.12) soon.
Regards,
Christian
Reply all
Reply to author
Forward
0 new messages