I know you want this to die, but I've posed some more questions for you to think about :) In some email I received from Paul D. Robertson, sie wrote: [...] > In my mind, saying "Not vulnerable" and just relating that to the POC code > is bad because it makes people think they're safe when they may not be, so > if this is indeed the case, I think we'd all appreciate a more verbose > clarification. So what do you do ? The last N versions since 1 Jan 2000 ? Just test your current/latest version ? Poll your userbase and check every version that's in use everywhere ? As it happens, IPFilter was fixed before I got any information about this at all from CERT. But that is of no help to anyone not running the latest version. Then again, you need to be running a certain make & model of ftpd before it's a problem as well. > > Unfortunately the people behind security-officer for NetBSD have been > > next to useless in this case and if you asked me, their largesse in > > this case would be a good excuse to give them all the ass (it's not > > a fun job, either.) FreeBSD has not been much better. > > Frankly, that's *why* we're looking to you. You're the #1 IPF authority- > no matter what version *they* ship. If you need someone to generate > pages of rants pointed at them, I'm obviously qualified ;) Like I keep trying to say, if I don't get the right information then there's not much I can do or say to provide the right help to people. For whatever it's worth, I depend on them to provide me with information that gets passed to them from CERT. What I guess I'm saying here is that because I had no direct contact with anyone useful in this, looking to me, now, is pointless. I kind of get the impression that IPfilter may have been the only popular product that did have an issue and yet you'd be forgiven for thinking it was a complete afterthought the way some people acted. If there had of been some sort of direct communication between me and CERT/ICSA/Mikael before this week then maybe things would have worked out better. CERT at least appears to have learnt a thing or two from this. [...] > "I understand the class of attack, and I know IPF isn't vulnerable, > because I've looked at what I'm doing and compared it to the partial ACK > issue." > > "I understand the class of attack, and I know that I've fixed this in the > current version of IPF, older versions are probably vulnerable, but I'm > not saying that explicitly." > > "I ran the proof-of-concept code and it didn't work, so I'm going to say > IPF isn't vulnerable until someone proves otherwise." All of these. It was hard enough to even compile the damn PoC code. Plus: "It looked like the proof-of-concept code required a special agent on the inside and if that's the case then I cannot protect against that." All in all, I think I'd rather try and make some sort of celestial alignment try and happen than have to go through all that again. From start to end, it's been one big f*cked experience. Darren _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 10:24:03 PDT