Below is a message some CERT folk posted to NANOG-L this morning. I personally think it's a crock of shit, and that CERT is damaging their credibility by advising based purely on rumor and speculation, however perhaps someone on this list has additional information?
Facts and first-hand information only, please. -- Jeff S Wheeler <[EMAIL PROTECTED]> -----Forwarded Message----- From: CERT(R) Coordination Center <[EMAIL PROTECTED]> To: nanog@merit.edu Cc: CERT(R) Coordination Center <[EMAIL PROTECTED]> Subject: VU#210321 Date: 10 Sep 2002 10:16:14 -0400 -----BEGIN PGP SIGNED MESSAGE----- Hello, The CERT/CC has recently seen discussions in a public forum detailing potential vulnerabilities in several TCP/IP implementations (Linux, OpenBSD, and FreeBSD). We are particularly concerned about these types of vulnerabilities because they have the potential to be exploited even if the target machine has no open ports. The messages can be found here: http://lists.netsys.com/pipermail/full-disclosure/2002-September/001667.html http://lists.netsys.com/pipermail/full-disclosure/2002-September/001668.html http://lists.netsys.com/pipermail/full-disclosure/2002-September/001664.html http://lists.netsys.com/pipermail/full-disclosure/2002-September/001643.html Note that one individual claims two exploits exist in the underground. At this point in time, we do not have any more information, nor have we been able to confirm the existence of these vulnerabilities. We would appreciate any feedback or insight you may have. We will continue to keep an eye out for further discussions regarding this topic. FYI, Ian Ian A. Finlay CERT (R) Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA USA 15213-3890 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPX3/VqCVPMXQI2HJAQFEqQQAr54e9c5SGgrIfmK5+EWqSOdvySKRtjwa 6dE4Z4DcoyHS57W5BEwW2OSXSGwrBL+mzippfTEnwAVT/otLYAADsnlPSQioRYNi qHVh8yRXgh3kBgx3cMdhe3NC6zaSWffOsc/EvhkCDo2xa8FQItOqE5MjOeASjt1L st5qq4mgM+E= =kHt1 -----END PGP SIGNATURE-----
signature.asc
Description: This is a digitally signed message part