Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement

From: John-Mark Gurney <jmg_at_funkthat.com>
Date: Thu, 10 Dec 2020 12:02:50 -0800
Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100:
> I've got a question about recently discovered serious vulnerabilities
> in certain TCP stack implementations, designated as AMNESIA:33 (as far
> as I could follow the recently made announcements and statements,
> please see, for instance,
> https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/).
> 
> All mentioned open-source TCP stacks seem not to be related in any way
> with freeBSD or any derivative of the FreeBSD project, but I do not
> dare to make a statement about that.
> 
> My question is very simple and aimes towards calming down my employees
> requests: is FreeBSD potentially vulnerable to this newly discovered
> flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT,
> latest incarnations, of course, should be least vulnerable ...).

I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot
make any official statement as there are too many to even start to
investigate them.

Also of note is that there were three other IP stacks that were NOT
vulnerable to ANY new security issues in that report as well, so it
isn't like the report found security vulnerability in every TCP/IP
stack they tested.

The best way to have confidence is to pay people to analyize and
verify that the FreeBSD TCP/IP stack is secure, just as it is w/
any critical code that a company runs.

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

Received on Thu Dec 10 2020 - 19:02:53 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC