Amnesia: 33: Overview of security notices and updates on the TCP...

Amnesia: 33: Overview of security notices and updates on the TCP...
Amnesia: 33: Overview of security notices and updates on the TCP...

The US-American CERT Coordination Center (CERT / CC) and the security authority CISA have published security advisories that deal with the Amnesia: 33 vulnerability collection, which became public yesterday, Tuesday. They give an overview of vulnerable and secured stack versions and also name some affected manufacturers, some of whom have also published their own update notes and statements.

This message summarizes the most important update information from the following publications, the content of which may be updated and supplemented during the course of the day:

We already reported in detail on Amnesia: 33 yesterday, Tuesday; We have also dedicated a separate message to a detailed statement by the BSI. You can find the articles here:

Manufacturer publications

The following manufacturer publications are available:

  • Devolo (new dLAN Green PHY SDK version available)
  • EMU Electronic AG (including new firmware for EMU Professional TCP / IP)
  • FEIG (new firmware for several products)
  • Genetec (AutoVu ™ Sharp cameras affected, SharpOS updates available)
  • Harting (including firmware updates for RFID reader Ha-VIS RF-R200)
  • Hensoldt (updates and patches for commercial TRENTOS-M SDK)
  • Microchip Technology (including updates for IoT network controller SoCs and frameworks)
  • Nanotec (firmware update for N5 Ethercat Motor Controller)
  • NT-Ware (Uniflow-Plattform, su.)
  • Siemens (updates for industrial components; see also separate CISA advisory)
  • Tagmaster (new firmware for XT-1, XT Mini)
  • Uniflow (microMIND Firmware-Updates)
  • Yanzi Networks (Summary of Available Updates)

Many updates relate to industrial components and devices for the business sector. And secure SDKs and IoT components only protect private users when the updates “arrive in the devices”. Even in those cases where the wait is not hopeless, it will probably take a while.

(Non) vulnerability confirmed

The Advisory of the CERT / CC provides an overview of currently 165 manufacturers and the vulnerability or non-vulnerability of their products due to various Amnesia vulnerabilities. Only Microchip Technology and Siemens are currently marked as clearly “Affected”; at many other companies the status is still “Unknown”.

Laut Advisory Not The following companies are affected (others may be added): Abbott Labs, Afero, Arista Networks Inc., ARM mbed TLS, Barracuda Networks, Belden, Blackberry QNX, Brocade Communication Systems, Ceragon Networks Inc, dd-wrt, Digi International, F5 Networks Inc., Fastly, Fitbit, Google, HCC, Infoblox, Intel, Juniper Networks, Nokia, Rockwell Automation, SUSE Linux, VMware, VMware Carbon Black, Wind River, Xilinx, Zephyr Project und Zyxel.

The manufacturers identified so far represent with a high probability only a subset of those actually affected. Since the vulnerable stacks are without exception (modular) open source code that has been forked, changed and implemented in different variants over and over again, the Isolation extremely difficult. In addition, some device manufacturers are unlikely to be aware of the fact that purchased components from third-party manufacturers use the vulnerable code.

Vulnerable and fixed stacks

Forescout’s information on vulnerable versions of the TCP / IP stacks published in the Amnesia: 33 report was largely limited to the issues they analyzed. The CISA is now providing more precise information along with end-of-life (EoL) instructions; are therefore vulnerable

  • uIP-Contiki-OS (end-of-life [EOL]) up to and including version 3.0
  • uIP-Contiki-NG bis inkl. Version 4.5
  • uIP (EOL) up to and including version 1.0
  • open-iscsi bis inkl. Version 2.1.1
  • picoTCP-NG bis inkl. Version 1.7.0
  • picoTCP (EOL) up to and including version 1.7.0
  • FNET Version 4.6.3
  • Nut / Net up to and including version 5.1

The stacks with an EoL should no longer be used by developers. The maintainers of the other projects recommend switching to

Information on secured picoTCP-NG and Nut / Net versions should be obtained directly from the developers via email (picoTCP-NG contact; Nut / Net contact).


(ovw)

To home page

These were the details of the news Amnesia: 33: Overview of security notices and updates on the TCP... for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.

It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.

PREV Democrats outline first stage of planned US$60m campaign to win state legislatures
NEXT FBI director warns that Chinese hackers are preparing to ‘wreak havoc’ on US critical infrastructure