SUSE statement on Amnesia:33 vulnerabilities
Researchers from Forescout research labs have published a set of new software vulnerabilities that affect embedded TCP/IP stacks.
The set of vulnerabilities, called AMNESIA:33, only affects small parts of the SUSE Linux Enterprise set of packages.
- The Linux Kernel TCP/IP implementation is not affected by these vulnerabilities, as it uses its own IP stack.
- The open-iscsi services embed a variant of the affected uIP IP stack, which is affected by some of the CVEs.
- Amnesia:33 paper from researcher
- SUSE TID 000019813
- CVE-2020-13988 for open-iscsi
- CVE-2020-13987 for open-iscsi
- CVE-2020-17438 for open-iscsi
- CVE-2020-17437 for open-iscsi
AMNESIA:33, while potentially serious to unpatched systems, poses little danger to those who keep their SUSE product patched and up to date. We are releasing fixes and updates for open-iscsi to all affected versions, eliminating the potential for disruption.
If you have any questions or concerns, please reach out to your SUSE contact. Security and reliability continue to be top priorities for SUSE because they are top priorities for our customers and partners. And as always, customers and partners come first.