Bug 1179908

Summary: VUL-0: open-iscsi: AMENSIA:33 various issues uIP affect open-iscsi uip copy
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: ematsumiya, gabriele.sonnu, lduncan, meissner, richard.thompson, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/273130/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-13987:8.2:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) CVSSv3.1:SUSE:CVE-2020-13988:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3.1:SUSE:CVE-2020-17437:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3.1:SUSE:CVE-2020-17438:7.0:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1179907    
Bug Blocks:    

Description Marcus Meissner 2020-12-10 16:26:14 UTC 
+++ This bug was initially created as a clone of Bug #1179907 +++

https://www.forescout.com/research-labs/amnesia33/

https://kb.cert.org/vuls/id/815128

According to the researchers only these 4 CVEs affect open-iscsi:
CVE-2020-13988
CVE-2020-13987
CVE-2020-17438
CVE-2020-17437
Comment 1 Lee Duncan 2020-12-31 22:40:47 UTC 
I merged in the latest upstream open-iscsi (version 2.1.3) into Factory (version 2.1.3-suse), which addresses these CVE issues, all in the uip package used by iscsiuio, which is an optional co-daemon to iscsid. The iscsiduio daemon only uses uip for non-traffic purposes, i.e. for DHCP, ARP, etc, so the scope of this issue is actually rather small.

Once the changes are in Factory I can merge them elsewhere.
Comment 3 Lee Duncan 2021-01-05 21:44:55 UTC 
Factory submission now accepted, so I submitted it to SLE-15-SP3:GA and SLE-15-SP2:Update directly.

Next to address is SLE-15-SP4, where I believe I can also just submit factory.

The older releases will require a set of patches (4 of them?) instead of just submitting factory, as they are older code bases and can't just be upgraded.
Comment 5 Swamp Workflow Management 2021-01-14 14:21:40 UTC 
SUSE-SU-2021:0127-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1179440,1179908
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    open-iscsi-2.1.3-22.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-01-16 23:19:50 UTC 
openSUSE-SU-2021:0089-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1179440,1179908
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    open-iscsi-2.1.3-lp152.18.6.1
Comment 7 Lee Duncan 2021-01-28 22:59:38 UTC 
I submitted fixes for SLE-12:SP4, which also goes to SP5.
Also for SLE-15-SP2 and SP3.

I believe this can be transferred back to security now.

NOTE: looks like I submitted twice to 15-SP3, but I'm sure that will be handled.
Comment 10 Lee Duncan 2021-02-23 17:30:38 UTC 
I'm pretty sure my part of this is done now.
Comment 11 Marcus Meissner 2021-02-25 10:04:46 UTC 
12-sp4 is in QA , we will close once done
Comment 12 Swamp Workflow Management 2021-03-01 20:23:30 UTC 
SUSE-SU-2021:0663-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1179908
CVE References: CVE-2020-13987,CVE-2020-13988,CVE-2020-17437,CVE-2020-17438
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    open-iscsi-2.0.876-12.27.2
SUSE OpenStack Cloud 9 (src):    open-iscsi-2.0.876-12.27.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    open-iscsi-2.0.876-12.27.2
SUSE Linux Enterprise Server 12-SP5 (src):    open-iscsi-2.0.876-12.27.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    open-iscsi-2.0.876-12.27.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Lee Duncan 2021-04-05 20:17:59 UTC 
Submitted final (I believe) update, this one to SUSE:SLE-15:Update/open-iscsi (see MR 238915)
Comment 16 Swamp Workflow Management 2021-04-13 16:19:58 UTC 
SUSE-SU-2021:1164-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1173886,1179908,1183421
CVE References: CVE-2020-13987,CVE-2020-13988,CVE-2020-17437,CVE-2020-17438
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    open-iscsi-2.0.876-13.42.1
SUSE Manager Retail Branch Server 4.0 (src):    open-iscsi-2.0.876-13.42.1
SUSE Manager Proxy 4.0 (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise Server for SAP 15 (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise Server 15-LTSS (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    open-iscsi-2.0.876-13.42.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    open-iscsi-2.0.876-13.42.1
SUSE Enterprise Storage 6 (src):    open-iscsi-2.0.876-13.42.1
SUSE CaaS Platform 4.0 (src):    open-iscsi-2.0.876-13.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-05-05 19:20:03 UTC 
SUSE-RU-2021:1517-1: An update that fixes four vulnerabilities is now available.

Category: recommended (moderate)
Bug References: 1179908,1183421
CVE References: CVE-2020-13987,CVE-2020-13988,CVE-2020-17437,CVE-2020-17438
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    open-iscsi-2.1.4-22.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    open-iscsi-2.1.4-22.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2021-05-09 19:15:12 UTC 
openSUSE-RU-2021:0693-1: An update that fixes four vulnerabilities is now available.

Category: recommended (moderate)
Bug References: 1179908,1183421
CVE References: CVE-2020-13987,CVE-2020-13988,CVE-2020-17437,CVE-2020-17438
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    open-iscsi-2.1.4-lp152.18.12.1
Comment 31 Lee Duncan 2022-08-03 23:30:14 UTC 
SLE-11-SP3:Update: maint req 276989
Comment 32 Lee Duncan 2022-08-03 23:46:47 UTC 
For the record, these are the commits being added to these three releases:

* e2383973cbca check for header length underflow during checksum calculation
* 1f7968efff15 check for u8 overflow when processing TCP options
* d63ce0d64c5a check for TCP urgent pointer past end of frame
Comment 33 Lee Duncan 2022-08-04 00:04:40 UTC 
> SUSE:SLE-12-SP2:Update/open-iscsi

Maint req: 276990
Comment 35 Lee Duncan 2022-08-04 00:39:46 UTC 
> SUSE:SLE-12-SP3:Update/open-iscsi

Maint req: 276991 

I believe that's everything.
Comment 37 Lee Duncan 2022-08-08 15:16:29 UTC 
More info on the fixes and their CVE numbers:

> commit d63ce0d64c5abe9f285f14ce394660bfb9a16538
> Author: Chris Leech <cleech@redhat.com>
> Date:   Tue Nov 10 14:14:11 2020 -0800
> 
>     check for TCP urgent pointer past end of frame
>     
>     CVE-2020-17437
> 
> commit 1f7968efff15eb737eb086a298cc1f0f0e308411
> Author: Chris Leech <cleech@redhat.com>
> Date:   Tue Nov 10 13:55:18 2020 -0800
> 
>     check for u8 overflow when processing TCP options
>     
>     CVE-2020-13988
> 
> commit e2383973cbca64f8e17ed7c4ad98258edfed6644
> Author: Chris Leech <cleech@redhat.com>
> Date:   Tue Nov 10 13:36:37 2020 -0800
> 
>     check for header length underflow during checksum calculation
>     
>     CVE-2020-13987
>
Comment 38 Lee Duncan 2022-08-08 16:29:20 UTC 
Reassigning back to security.
Comment 40 Swamp Workflow Management 2022-08-15 13:15:10 UTC 
SUSE-SU-2022:2806-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1179908
CVE References: CVE-2020-13987,CVE-2020-13988,CVE-2020-17437
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3-BCL (src):    open-iscsi-2.0.876-53.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Swamp Workflow Management 2022-08-22 13:16:11 UTC 
SUSE-SU-2022:2861-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1058463,1109477,1179908
CVE References: CVE-2020-17437
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    open-iscsi-2.0.873-46.17.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.