From owner-freebsd-security@freebsd.org Thu Dec 17 18:20:58 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D22084BF114; Thu, 17 Dec 2020 18:20:58 +0000 (UTC) (envelope-from ohartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CxgKj5tzxz4WWk; Thu, 17 Dec 2020 18:20:57 +0000 (UTC) (envelope-from ohartmann@walstatt.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1608229238; bh=eX6b5xXIF3ZaJpAO/WxD9z3gHWtpUZ47AkWRlbdkyNc=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:In-Reply-To:References; b=ahiVRczcgPtWRzSYs6p8yhELh6y2Ngg6Ffb4SiEoNs8OEoUGPsPtw/V5ts3HRyoGT sumneWJWIjY3mOqQjt2KddWLAuNIs3kgf4HT19Kn2Z25W87NScLNLf+Cr/fuBaBYLY X4WxvlbtrQLeCDUZlLC3AjXF61VCLoVD47wYykOA= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from hermann.fritz.box ([77.191.42.43]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MysVs-1juAZI07qU-00vzlv; Thu, 17 Dec 2020 19:20:38 +0100 Date: Thu, 17 Dec 2020 19:20:29 +0100 From: "Hartmann, O." To: freebsd-security@freebsd.org Cc: John-Mark Gurney , freebsd-current@freebsd.org, John Kennedy Subject: Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement Message-ID: <20201217192029.56f3d262@hermann.fritz.box> In-Reply-To: <20201210200250.GJ31099@funkthat.com> References: <20201209065849.47a51561@hermann.fritz.box> <20201210200250.GJ31099@funkthat.com> Organization: walstatt.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/c9Tn1HDtoa+xvI1obhUV/Ot"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Provags-ID: V03:K1:KlE/k/dVZbi2uwI7kWtmJ4P4ZhbyzpoVqjkz4SSEm2TiiBUHh/b KDfJhfrHxpzCaPgFMgCqMUO1ERyyKdi5L8ZuGdAILJ+KXwukFy6SUCLkX7yxAuLomffGaf7 QQFHZ/I6bUMwKNMF5Ezj37Elv4AyZPfF8w52v1tRkB4ZwhO3sedNMNh6cNxC3zPBKVYmK5T 1WaW1CgXHQ3SdOiycnr9w== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:PAMAFBdk5VA=:Aty8yPp7AH2SZUEht4ZZfP AKNKPeSK77eJlBZX07xCY1qBb2EWxg5yAP328fMByMwDKvi5u5GmFX55wcDQJAw3Mnz+3lWKv bpyj0cIRXXdjEMG6Dm7osWW+xhbJ/bNm4b7f/TFfSX4fDTXLXE5D37FTDkFQBeJHu7pR0vMeN 3xCu4PBhWEpmvjrN7sgBgVqldlM/9ezgLtwrT5fQdmg0GsmSkjiEp370d8UtoDx1j71mD9KC0 IR6VAsB7vvQvGhZ+qJD/jeia6E/yVCsshqcP+tKDKTU2V1nG7IsbZKlAw4hMZzg+SMncr90Jk qI9Zt/JrzxKzsRsbFMC+nrYeTrdgBjkcsTDd7ahLrudOBZavzfF0Om6L9BH6UrC81mEaxu0Ct PeJaaMJDs+C0cfaGlfE2PCuJHpIFr34hyOepFt/mqVaJVQ0EiAH4ofkLWHzD0k/HSQCMYcOSR 3qHFM8wHhQQ8u9DAIjU+Ag/XsObjyqO+a91fqFYUu8myrEqgadmDY6c7zaGO/r2K2wPP/k2Gr gnSbTLKy9+WFzgYzgKYQGn6ipbDz2benH1+DqopgSPZ0xW9OeimZFndpjnOJf/DVV0v9tOmGi oRWD1FasKL83khn6ZH8CPHQeRqBWLAS2SSxWtP/JVCCsASgsSIBQIodFBDrubXwSXuQPlx6fd gpVmPXmWO5GxVa9wksC4+5bhpWlHMKJ3WSXiF204vlWXFmDzNrOHFn/1j3BiKFABZvvIzK2+z MdRyRkMl11cY+972VR1FTfbgOITp3CuhLu7oL1XkKMleERntLd0lyrtJ3elPHpnX9Q59Z/psu 0lZEYAC8LQorPyZNH025yoZl907I367YvxItalRC7OBXuDPi0do1PTxkvMPlsLgMnlI9sc42d FkMGFmJ+emIdPZj+u7BA== X-Rspamd-Queue-Id: 4CxgKj5tzxz4WWk X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=ahiVRczc; dmarc=none; spf=none (mx1.freebsd.org: domain of ohartmann@walstatt.org has no SPF policy when checking 212.227.15.18) smtp.mailfrom=ohartmann@walstatt.org X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; HAS_ORG_HEADER(0.00)[]; DKIM_TRACE(0.00)[gmx.net:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[212.227.15.18:from]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RECEIVED_SPAMHAUS_PBL(0.00)[77.191.42.43:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[walstatt.org]; SPAMHAUS_ZRD(0.00)[212.227.15.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current,freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2020 18:20:58 -0000 --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable > Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > > I've got a question about recently discovered serious > > vulnerabilities in certain TCP stack implementations, designated as > > AMNESIA:33 (as far as I could follow the recently made > > announcements and statements, please see, for instance, > > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions= -of-smart-and-industrial-devices/). > >=20 > > All mentioned open-source TCP stacks seem not to be related in any > > way with freeBSD or any derivative of the FreeBSD project, but I do > > not dare to make a statement about that. > >=20 > > My question is very simple and aimes towards calming down my > > employees requests: is FreeBSD potentially vulnerable to this newly > > discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE > > and 13-CURRENT, latest incarnations, of course, should be least > > vulnerable ...). =20 >=20 > I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot > make any official statement as there are too many to even start to > investigate them. >=20 > Also of note is that there were three other IP stacks that were NOT > vulnerable to ANY new security issues in that report as well, so it > isn't like the report found security vulnerability in every TCP/IP > stack they tested. >=20 > The best way to have confidence is to pay people to analyize and > verify that the FreeBSD TCP/IP stack is secure, just as it is w/ > any critical code that a company runs. >=20 Thank you very much for responding. I'll take all comments into consideration; I think one thing is clear, that even if I'd had to report that freeBSD is vulnerable, I'd have to wait for a pacth. Since my personal patch policy on RELENG for FreeBSD is to patch/update as fast as possible after a SA has been published, I'd have to wait for the patches. CURRENT and STABLE systems are updated frequently - on a weekly basis, if necessary. Kind regards, O. Hartmann --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSy8IBxAPDkqVBaTJ44N1ZZPba5RwUCX9uhbQAKCRA4N1ZZPba5 R1JDAQCwYAyUkkbdOr9OOzD1JK1k1MSxLMgQDmy4sn6hnJolLgEAzM7kjbwyHtlU wWMbHNnbEcoH6aJI1xI4nRfEfTH/8Ak= =YWqh -----END PGP SIGNATURE----- --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot--