Hi,
the following CVEs related to the recent AMNESIA:33 vulnerabilities
affecting various open source network stack components:
https://nvd.nist.gov/vuln/detail/CVE-2020-13987
https://nvd.nist.gov/vuln/detail/CVE-2020-13988
https://nvd.nist.gov/vuln/detail/CVE-2020-17437
https://nvd.nist.gov/vuln/detail/CVE-2020-17438
https://nvd.nist.gov/vuln/detail/CVE-2020-17439
https://nvd.nist.gov/vuln/detail/CVE-2020-17440
https://nvd.nist.gov/vuln/detail/CVE-2020-24334
https://nvd.nist.gov/vuln/detail/CVE-2020-24335 (not published yet)
While the CVEs are mentioning Contiki and / or uIP a paper [1] of the
research teams reveals this detail:
> The open-iscsi project, which provides an implementation of the iSCSI
> protocol used by Linux distributions, such as Red Hat, Fedora, SUSE
> and Debian, also imports part of the uIP code. Again, we were able to
> detect that some CVEs apply to it.
and
> Some of the vendors and projects using these original stacks, such as
> open-iscsi, issued their own patches.
Unfortunately the "some CVEs apply to it" is not further specified (not
even the CVEs for open-iscsi are listen) and i wasn't able to pinpoint
the exact details. Some sources [2] mention 2.1.12 as the fixed version
of open-iscsi (which is wrong as the latest available version is 2.1.2
from July 2020, i have already contacted the CISA about that a few days
ago but haven't received any response yet) while others [3] mention <=
2.1.1 as vulnerable.
As none of the current releases listed at [4] mention the uIP
vulnerabilities in some way i would like to ask for clarification of the
following:
- Which CVEs of uIP applies to the code base of uIP imported into
open-iscsi?
- Which releases of open-iscsi are affected?
- Which release of open-iscsi is fixing one or more of this vulnerabilities?
Thank you very much in advance for a response.
Regards,
[1]
https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/
[2]
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01
[3]
https://www.heise.de/news/Amnesia-33-Sicherheitshinweise-und-Updates-zu-den-TCP-IP-Lecks-im-Ueberblick-4984341.html
[4]
https://github.com/open-iscsi/open-iscsi/releases
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH |
https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Dr. Jan-Oliver Wagner