On Wed, Dec 09, 2020 at 06:58:49AM +0100, Hartmann, O. wrote: > Hello, > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. > > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). Look at it this way: If it is/was, what are you going to do about it? [Please don't take this as a personal attack. I get the same kind of questions you are by my bosses and auditors, who live in their own little world where they think there is a guarantee for everything and the only real-world cost is an appropriately asked question.] If you've got an upgrade policy that rolls out patches when FreeBSD publishes them (or tracking -STABLE or -CURRENT in such a way that they're going to be incorporated with some parity with the security and errata notifications) and you're keeping your packages up to date, you're doing pretty good. If there is a problem, you'll roll out the fixes when they're available. You may not even know they're in there yet. If you've got a menagerie of FreeBSD-based IoT-style devices that aren't getting regular updates and this bug has shown you the tip of the iceberg to all the other potential problems, then you probably have issues. Now an attack against the kernel TCP/IP stack is universally bad (possibly bypassing any firewall, probably not requiring authentication, probably gaining the kernel privileges, etc), plenty of other problems are a subset of just as bad. Assuming that the Amnesia:33 reported responsibly disclosed, if FreeBSD was affected we'd probably have fixes out (pre-publication). On 12/8, you just got patch released for FreeBSD-SA-20:33.openssl, and that is burned into a lot of OS pieces. Have you pushed those changes out yet? Two paragraphs up, I basically asked a policy question. This paragraph, I'm basically asking you an implementation question: You had a policy, did it work? Did anything get missed? Can someone audit that? -CURRENT and -STABLE tend to get patches (and, potentially, problems) before -RELENG does, but sometime that's a natural process of the patches discovering the problems that need put into -RELENG. It's always nice to see a bug report for -RELENG and then tracking down the revision and finding out you've been patched for a while now. On the other hand, -STABLE gets daily patches and you probably wouldn't want to have a production patch cycles with that kind of frequently. [Personally, I tend to update -STABLE/-CURRENT when I see a "Security:" tag with a CVE reference, semi-weekly, or when I see something that looks alarming or interesting and -RELENG when it gets a patch.]Received on Fri Dec 11 2020 - 15:14:16 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC