Amnesia: 33: Overview of security notices and updates on the TCP...

The US-American CERT Coordination Center (CERT / CC) and the security authority CISA have published security advisories that deal with the Amnesia: 33 vulnerability collection, which became public yesterday, Tuesday. They give an overview of vulnerable and secured stack versions and also name some affected manufacturers, some of whom have also published their own update notes and statements.

This message summarizes the most important update information from the following publications, the content of which may be updated and supplemented during the course of the day:

We already reported in detail on Amnesia: 33 yesterday, Tuesday; We have also dedicated a separate message to a detailed statement by the BSI. You can find the articles here:

Manufacturer publications

The following manufacturer publications are available:

• Devolo (new dLAN Green PHY SDK version available)
• EMU Electronic AG (including new firmware for EMU Professional TCP / IP)
• FEIG (new firmware for several products)
• Genetec (AutoVu ™ Sharp cameras affected, SharpOS updates available)
• Harting (including firmware updates for RFID reader Ha-VIS RF-R200)
• Hensoldt (updates and patches for commercial TRENTOS-M SDK)
• Microchip Technology (including updates for IoT network controller SoCs and frameworks)
• Nanotec (firmware update for N5 Ethercat Motor Controller)
• NT-Ware (Uniflow-Plattform, su.)
• Siemens (updates for industrial components; see also separate CISA advisory)
• Tagmaster (new firmware for XT-1, XT Mini)
• Uniflow (microMIND Firmware-Updates)
• Yanzi Networks (Summary of Available Updates)

Many updates relate to industrial components and devices for the business sector. And secure SDKs and IoT components only protect private users when the updates “arrive in the devices”. Even in those cases where the wait is not hopeless, it will probably take a while.

(Non) vulnerability confirmed

The Advisory of the CERT / CC provides an overview of currently 165 manufacturers and the vulnerability or non-vulnerability of their products due to various Amnesia vulnerabilities. Only Microchip Technology and Siemens are currently marked as clearly “Affected”; at many other companies the status is still “Unknown”.

Laut Advisory Not The following companies are affected (others may be added): Abbott Labs, Afero, Arista Networks Inc., ARM mbed TLS, Barracuda Networks, Belden, Blackberry QNX, Brocade Communication Systems, Ceragon Networks Inc, dd-wrt, Digi International, F5 Networks Inc., Fastly, Fitbit, Google, HCC, Infoblox, Intel, Juniper Networks, Nokia, Rockwell Automation, SUSE Linux, VMware, VMware Carbon Black, Wind River, Xilinx, Zephyr Project und Zyxel.

The manufacturers identified so far represent with a high probability only a subset of those actually affected. Since the vulnerable stacks are without exception (modular) open source code that has been forked, changed and implemented in different variants over and over again, the Isolation extremely difficult. In addition, some device manufacturers are unlikely to be aware of the fact that purchased components from third-party manufacturers use the vulnerable code.

Vulnerable and fixed stacks

Forescout’s information on vulnerable versions of the TCP / IP stacks published in the Amnesia: 33 report was largely limited to the issues they analyzed. The CISA is now providing more precise information along with end-of-life (EoL) instructions; are therefore vulnerable

• uIP-Contiki-OS (end-of-life [EOL]) up to and including version 3.0
• uIP-Contiki-NG bis inkl. Version 4.5
• uIP (EOL) up to and including version 1.0
• open-iscsi bis inkl. Version 2.1.1
• picoTCP-NG bis inkl. Version 1.7.0
• picoTCP (EOL) up to and including version 1.7.0
• FNET Version 4.6.3
• Nut / Net up to and including version 5.1

The stacks with an EoL should no longer be used by developers. The maintainers of the other projects recommend switching to

Information on secured picoTCP-NG and Nut / Net versions should be obtained directly from the developers via email (picoTCP-NG contact; Nut / Net contact).

(ovw)