Candidate: CVE-2020-13988
CRD: 2020-12-01
PublicDate: 2020-12-11 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13988
 https://github.com/open-iscsi/open-iscsi/security/advisories/GHSA-r278-fm99-8rgp
 https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/
Description:
 An issue was discovered in Contiki through 3.0. An Integer Overflow exists
 in the uIP TCP/IP Stack component when parsing TCP MSS options of IPv4
 network packets in uip_process in net/ipv4/uip.c.
Ubuntu-Description:
Notes:
 sbeattie> aka FSCT-2020-0008
 sbeattie> issue in embedded copy of uIP
 mdeslaur> per upstream "iscsiuio only uses uip for network "services",
 mdeslaur> such as DHCP, ARP, etc, and not for normal TCP/IP
 mdeslaur> communications"
Mitigation:
Bugs:
Priority: low
Discovered-by: Jos Wetzels, Stanislav Dashevskyi, Amine Amri
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_open-iscsi:
 upstream: https://github.com/open-iscsi/open-iscsi/commit/1f7968efff15eb737eb086a298cc1f0f0e308411
upstream_open-iscsi: released (2.1.3)
precise/esm_open-iscsi: ignored (end of ESM support, was needed)
trusty_open-iscsi: ignored (out of standard support)
trusty/esm_open-iscsi: needed
xenial_open-iscsi: ignored (end of standard support, was needed)
esm-infra/xenial_open-iscsi: needed
bionic_open-iscsi: needed
focal_open-iscsi: needed
groovy_open-iscsi: ignored (reached end-of-life)
hirsute_open-iscsi: released (2.1.3-1ubuntu1)
impish_open-iscsi: released (2.1.3-1ubuntu1)
jammy_open-iscsi: released (2.1.3-1ubuntu1)
devel_open-iscsi: released (2.1.3-1ubuntu1)