Bug 1899467 (CVE-2020-13987)

Summary: CVE-2020-13987 Open-iSCSI: OOB read in checksum calculation in uIP
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andy, cleech, coughlan, cscribne, dlehman, security-response-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-29 06:55:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1899974, 1899977, 1909046, 1910572    
Bug Blocks: 1881303    

Description Cedric Buissart 2020-11-19 10:35:57 UTC 
A out of bound read was found in uIP (Micro IP) TCP/UDP checksum calculation in IPv4

The function that parses incoming transport layer packets (TCP/UDP) does not check the length fields of packet headers against the data available in the packets. Given arbitrary lengths, an out-of-bounds memory read may be performed during the checksum computation.

listed potential impact: DoS & information leak
Comment 2 Cedric Buissart 2020-12-10 10:30:08 UTC 
External References:

https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/
Comment 3 Cedric Buissart 2020-12-10 13:59:00 UTC 
In Red Hat Enterprise Linux, uIP is used in the iscsiuio command, provided by iscsi-initiator-utils.

In RHEL, the command is used for connecting to an iSCSI NAS. It is expected that the attacker is a Person in the Middle, between the NAS and the RHEL machine.
As a consequence, this issue is currently rated Low.
Comment 4 Cedric Buissart 2020-12-18 09:08:32 UTC 
Created iscsi-initiator-utils tracking bugs for this issue:

Affects: fedora-all [bug 1909046]
Comment 9 Cedric Buissart 2021-02-25 17:33:37 UTC 
Statement:

Although a vulnerable version of uIP is included in iscsi-initiator-utils, it is believed that the vulnerability can not be actively exploited in that particular context.