Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement

From: Hartmann, O. <ohartmann_at_walstatt.org>
Date: Thu, 17 Dec 2020 19:20:29 +0100
> Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100:
> > I've got a question about recently discovered serious
> > vulnerabilities in certain TCP stack implementations, designated as
> > AMNESIA:33 (as far as I could follow the recently made
> > announcements and statements, please see, for instance,
> > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/).
> > 
> > All mentioned open-source TCP stacks seem not to be related in any
> > way with freeBSD or any derivative of the FreeBSD project, but I do
> > not dare to make a statement about that.
> > 
> > My question is very simple and aimes towards calming down my
> > employees requests: is FreeBSD potentially vulnerable to this newly
> > discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE
> > and 13-CURRENT, latest incarnations, of course, should be least
> > vulnerable ...).  
> 
> I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot
> make any official statement as there are too many to even start to
> investigate them.
> 
> Also of note is that there were three other IP stacks that were NOT
> vulnerable to ANY new security issues in that report as well, so it
> isn't like the report found security vulnerability in every TCP/IP
> stack they tested.
> 
> The best way to have confidence is to pay people to analyize and
> verify that the FreeBSD TCP/IP stack is secure, just as it is w/
> any critical code that a company runs.
> 

Thank you very much for responding.

I'll take all comments into consideration; I think one thing is clear,
that even if I'd had to report that freeBSD is vulnerable, I'd have to
wait for a pacth. Since my personal patch policy on RELENG for FreeBSD
is to patch/update as fast as possible after a SA has been published,
I'd have to wait for the patches. CURRENT and STABLE systems are
updated  frequently - on a weekly basis, if necessary.

Kind regards,

O. Hartmann

Received on Thu Dec 17 2020 - 17:20:58 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC