Impact
What kind of vulnerability is it? Who is impacted?
The Open-iSCSI developers have been made aware of multiple issues related to packet input processing in the uIP and related embedded TCP/IP networking stacks. The iscsiuio tool in the Open-iSCSI project contains a forked copy of the uIP code.
After consideration of the disclosed vulnerabilities, only three were found to have matching code in the iscsiuio source: CVE-2020-17437, CVE-2020-13988 and CVE-2020-13987. Given that iscsiuio uses the uIP stack only for DHCP operations on specific offloading iSCSI hardware, it's believed that only CVE-2020-13987 might have an exposed attack vector in the iscsiuio process.
Patches
Has the problem been patched? What versions should users upgrade to?
Patches to address the known applicable issues have been applied to Open-iSCSI 2.1.3.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
None at this time.
For more information
If you have any questions or comments about this advisory:
daniel-rs Analyst
Impact
What kind of vulnerability is it? Who is impacted?
The Open-iSCSI developers have been made aware of multiple issues related to packet input processing in the uIP and related embedded TCP/IP networking stacks. The iscsiuio tool in the Open-iSCSI project contains a forked copy of the uIP code.
After consideration of the disclosed vulnerabilities, only three were found to have matching code in the iscsiuio source: CVE-2020-17437, CVE-2020-13988 and CVE-2020-13987. Given that iscsiuio uses the uIP stack only for DHCP operations on specific offloading iSCSI hardware, it's believed that only CVE-2020-13987 might have an exposed attack vector in the iscsiuio process.
Patches
Has the problem been patched? What versions should users upgrade to?
Patches to address the known applicable issues have been applied to Open-iSCSI 2.1.3.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
None at this time.
For more information
If you have any questions or comments about this advisory: