Re: Clarification request on open-iscsi affected by uIP vulnerabilities (AMNESIA:33)
Hi, and thanks for this summary / the clarification about the affected and fixed versions which clears up everything. It seems there is also a new security advisory around this vulnerabilities which gives some more background information: https://github.com/open-iscsi/open-iscsi/security/advisories/GHSA-r278-fm99-8rgp I have also already contacted the CISA again and asked for an update of their advisory, hope they will correct the wrong version info (2.1.12) soon. Regards, Christian On Friday, December 18, 2020 at 8:42:35 PM UTC+1 The Lee-Man wrote: > Hi Christian: > > Chris Leech just merged in the mitigations for these CVEs and tagged a new > release. > > These CVEs were all related to the uip package that iscsiuio uses. But in > fact iscsiuio only uses uip for network "services", such as DHCP, ARP, etc, > and not for normal TCP/IP communications. So the risk was, honestly, never > very high. > > I believe all the CVEs were published 12/8 (or so), but we were working on > them for a while before that. > > P.S. Thanks to Chris for doing the mitigation work and research, and then > merging/publishing the result! > > On Thursday, December 17, 2020 at 10:41:06 AM UTC-8 Christian Fischer > wrote: > >> Hi, >> >> the following CVEs related to the recent AMNESIA:33 vulnerabilities >> affecting various open source network stack components: >> >> https://nvd.nist.gov/vuln/detail/CVE-2020-13987 >> https://nvd.nist.gov/vuln/detail/CVE-2020-13988 >> https://nvd.nist.gov/vuln/detail/CVE-2020-17437 >> https://nvd.nist.gov/vuln/detail/CVE-2020-17438 >> https://nvd.nist.gov/vuln/detail/CVE-2020-17439 >> https://nvd.nist.gov/vuln/detail/CVE-2020-17440 >> https://nvd.nist.gov/vuln/detail/CVE-2020-24334 >> https://nvd.nist.gov/vuln/detail/CVE-2020-24335 (not published yet) >> >> While the CVEs are mentioning Contiki and / or uIP a paper [1] of the >> research teams reveals this detail: >> >> > The open-iscsi project, which provides an implementation of the iSCSI >> > protocol used by Linux distributions, such as Red Hat, Fedora, SUSE >> > and Debian, also imports part of the uIP code. Again, we were able to >> > detect that some CVEs apply to it. >> >> and >> >> > Some of the vendors and projects using these original stacks, such as >> > open-iscsi, issued their own patches. >> >> Unfortunately the "some CVEs apply to it" is not further specified (not >> even the CVEs for open-iscsi are listen) and i wasn't able to pinpoint >> the exact details. Some sources [2] mention 2.1.12 as the fixed version >> of open-iscsi (which is wrong as the latest available version is 2.1.2 >> from July 2020, i have already contacted the CISA about that a few days >> ago but haven't received any response yet) while others [3] mention <= >> 2.1.1 as vulnerable. >> >> As none of the current releases listed at [4] mention the uIP >> vulnerabilities in some way i would like to ask for clarification of the >> following: >> >> - Which CVEs of uIP applies to the code base of uIP imported into >> open-iscsi? >> - Which releases of open-iscsi are affected? >> - Which release of open-iscsi is fixing one or more of this >> vulnerabilities? >> >> Thank you very much in advance for a response. >> >> Regards, >> >> [1] >> >> https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/ >> >> [2] https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01 >> [3] >> >> https://www.heise.de/news/Amnesia-33-Sicherheitshinweise-und-Updates-zu-den-TCP-IP-Lecks-im-Ueberblick-4984341.html >> >> [4] https://github.com/open-iscsi/open-iscsi/releases >> >> -- >> >> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD >> Greenbone Networks GmbH | https://www.greenbone.net >> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 >> Geschäftsführer: Dr. Jan-Oliver Wagner >> > -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/open-iscsi/c7dd8133-c778-4d2a-800e-f6d96a441b4an%40googlegroups.com.
Re: Clarification request on open-iscsi affected by uIP vulnerabilities (AMNESIA:33)
Hi Christian: Chris Leech just merged in the mitigations for these CVEs and tagged a new release. These CVEs were all related to the uip package that iscsiuio uses. But in fact iscsiuio only uses uip for network "services", such as DHCP, ARP, etc, and not for normal TCP/IP communications. So the risk was, honestly, never very high. I believe all the CVEs were published 12/8 (or so), but we were working on them for a while before that. P.S. Thanks to Chris for doing the mitigation work and research, and then merging/publishing the result! On Thursday, December 17, 2020 at 10:41:06 AM UTC-8 Christian Fischer wrote: > Hi, > > the following CVEs related to the recent AMNESIA:33 vulnerabilities > affecting various open source network stack components: > > https://nvd.nist.gov/vuln/detail/CVE-2020-13987 > https://nvd.nist.gov/vuln/detail/CVE-2020-13988 > https://nvd.nist.gov/vuln/detail/CVE-2020-17437 > https://nvd.nist.gov/vuln/detail/CVE-2020-17438 > https://nvd.nist.gov/vuln/detail/CVE-2020-17439 > https://nvd.nist.gov/vuln/detail/CVE-2020-17440 > https://nvd.nist.gov/vuln/detail/CVE-2020-24334 > https://nvd.nist.gov/vuln/detail/CVE-2020-24335 (not published yet) > > While the CVEs are mentioning Contiki and / or uIP a paper [1] of the > research teams reveals this detail: > > > The open-iscsi project, which provides an implementation of the iSCSI > > protocol used by Linux distributions, such as Red Hat, Fedora, SUSE > > and Debian, also imports part of the uIP code. Again, we were able to > > detect that some CVEs apply to it. > > and > > > Some of the vendors and projects using these original stacks, such as > > open-iscsi, issued their own patches. > > Unfortunately the "some CVEs apply to it" is not further specified (not > even the CVEs for open-iscsi are listen) and i wasn't able to pinpoint > the exact details. Some sources [2] mention 2.1.12 as the fixed version > of open-iscsi (which is wrong as the latest available version is 2.1.2 > from July 2020, i have already contacted the CISA about that a few days > ago but haven't received any response yet) while others [3] mention <= > 2.1.1 as vulnerable. > > As none of the current releases listed at [4] mention the uIP > vulnerabilities in some way i would like to ask for clarification of the > following: > > - Which CVEs of uIP applies to the code base of uIP imported into > open-iscsi? > - Which releases of open-iscsi are affected? > - Which release of open-iscsi is fixing one or more of this > vulnerabilities? > > Thank you very much in advance for a response. > > Regards, > > [1] > > https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/ > [2] https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01 > [3] > > https://www.heise.de/news/Amnesia-33-Sicherheitshinweise-und-Updates-zu-den-TCP-IP-Lecks-im-Ueberblick-4984341.html > [4] https://github.com/open-iscsi/open-iscsi/releases > > -- > > Christian Fischer | PGP Key: 0x54F3CE5B76C597AD > Greenbone Networks GmbH | https://www.greenbone.net > Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 > Geschäftsführer: Dr. Jan-Oliver Wagner > -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/open-iscsi/92c2365f-197a-4ae3-a2b1-e9f544cf71b7n%40googlegroups.com.
Clarification request on open-iscsi affected by uIP vulnerabilities (AMNESIA:33)
Hi, the following CVEs related to the recent AMNESIA:33 vulnerabilities affecting various open source network stack components: https://nvd.nist.gov/vuln/detail/CVE-2020-13987 https://nvd.nist.gov/vuln/detail/CVE-2020-13988 https://nvd.nist.gov/vuln/detail/CVE-2020-17437 https://nvd.nist.gov/vuln/detail/CVE-2020-17438 https://nvd.nist.gov/vuln/detail/CVE-2020-17439 https://nvd.nist.gov/vuln/detail/CVE-2020-17440 https://nvd.nist.gov/vuln/detail/CVE-2020-24334 https://nvd.nist.gov/vuln/detail/CVE-2020-24335 (not published yet) While the CVEs are mentioning Contiki and / or uIP a paper [1] of the research teams reveals this detail: > The open-iscsi project, which provides an implementation of the iSCSI > protocol used by Linux distributions, such as Red Hat, Fedora, SUSE > and Debian, also imports part of the uIP code. Again, we were able to > detect that some CVEs apply to it. and > Some of the vendors and projects using these original stacks, such as > open-iscsi, issued their own patches. Unfortunately the "some CVEs apply to it" is not further specified (not even the CVEs for open-iscsi are listen) and i wasn't able to pinpoint the exact details. Some sources [2] mention 2.1.12 as the fixed version of open-iscsi (which is wrong as the latest available version is 2.1.2 from July 2020, i have already contacted the CISA about that a few days ago but haven't received any response yet) while others [3] mention <= 2.1.1 as vulnerable. As none of the current releases listed at [4] mention the uIP vulnerabilities in some way i would like to ask for clarification of the following: - Which CVEs of uIP applies to the code base of uIP imported into open-iscsi? - Which releases of open-iscsi are affected? - Which release of open-iscsi is fixing one or more of this vulnerabilities? Thank you very much in advance for a response. Regards, [1] https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/ [2] https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01 [3] https://www.heise.de/news/Amnesia-33-Sicherheitshinweise-und-Updates-zu-den-TCP-IP-Lecks-im-Ueberblick-4984341.html [4] https://github.com/open-iscsi/open-iscsi/releases -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | https://www.greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Dr. Jan-Oliver Wagner -- You received this message because you are subscribed to the Google Groups "open-iscsi" group. To unsubscribe from this group and stop receiving emails from it, send an email to open-iscsi+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/open-iscsi/48afec52-1107-f3df-1c74-0d55da4c1e11%40greenbone.net.
