Hello, I've got a question about recently discovered serious vulnerabilities in certain TCP stack implementations, designated as AMNESIA:33 (as far as I could follow the recently made announcements and statements, please see, for instance, https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). All mentioned open-source TCP stacks seem not to be related in any way with freeBSD or any derivative of the FreeBSD project, but I do not dare to make a statement about that. My question is very simple and aimes towards calming down my employees requests: is FreeBSD potentially vulnerable to this newly discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, latest incarnations, of course, should be least vulnerable ...). Thanks in advance, O. Hartmann -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20201209/1c095167/attachment.sig>
Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100:> I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...).I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot make any official statement as there are too many to even start to investigate them. Also of note is that there were three other IP stacks that were NOT vulnerable to ANY new security issues in that report as well, so it isn't like the report found security vulnerability in every TCP/IP stack they tested. The best way to have confidence is to pay people to analyize and verify that the FreeBSD TCP/IP stack is secure, just as it is w/ any critical code that a company runs. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20201210/4ee392db/attachment.sig>
On Wed, Dec 09, 2020 at 06:58:49AM +0100, Hartmann, O. wrote:> Hello, > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...).Look at it this way: If it is/was, what are you going to do about it? [Please don't take this as a personal attack. I get the same kind of questions you are by my bosses and auditors, who live in their own little world where they think there is a guarantee for everything and the only real-world cost is an appropriately asked question.] If you've got an upgrade policy that rolls out patches when FreeBSD publishes them (or tracking -STABLE or -CURRENT in such a way that they're going to be incorporated with some parity with the security and errata notifications) and you're keeping your packages up to date, you're doing pretty good. If there is a problem, you'll roll out the fixes when they're available. You may not even know they're in there yet. If you've got a menagerie of FreeBSD-based IoT-style devices that aren't getting regular updates and this bug has shown you the tip of the iceberg to all the other potential problems, then you probably have issues. Now an attack against the kernel TCP/IP stack is universally bad (possibly bypassing any firewall, probably not requiring authentication, probably gaining the kernel privileges, etc), plenty of other problems are a subset of just as bad. Assuming that the Amnesia:33 reported responsibly disclosed, if FreeBSD was affected we'd probably have fixes out (pre-publication). On 12/8, you just got patch released for FreeBSD-SA-20:33.openssl, and that is burned into a lot of OS pieces. Have you pushed those changes out yet? Two paragraphs up, I basically asked a policy question. This paragraph, I'm basically asking you an implementation question: You had a policy, did it work? Did anything get missed? Can someone audit that? -CURRENT and -STABLE tend to get patches (and, potentially, problems) before -RELENG does, but sometime that's a natural process of the patches discovering the problems that need put into -RELENG. It's always nice to see a bug report for -RELENG and then tracking down the revision and finding out you've been patched for a while now. On the other hand, -STABLE gets daily patches and you probably wouldn't want to have a production patch cycles with that kind of frequently. [Personally, I tend to update -STABLE/-CURRENT when I see a "Security:" tag with a CVE reference, semi-weekly, or when I see something that looks alarming or interesting and -RELENG when it gets a patch.]
Kurt Buff, GSEC/GCIH/PCIP
2020-Dec-29 19:50 UTC
AMNESIA:33 and FreeBSD TCP/IP stack involvement
Recently seen: https://treck.com/vulnerability-response-information/ and https://github.com/Forescout/project-memoria-detector HTH, Kurt On Tue, Dec 8, 2020 at 10:59 PM Hartmann, O. <ohartmann at walstatt.org> wrote:> > Hello, > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). > > Thanks in advance, > > O. Hartmann