RE: Saying goodnight to my GSR

["Keith Medcalf" <kmedcalf () dessus com>]

I do not see any vulnerabilities listed there.  Only documentation of behavioral bugs, caveats, and restrictions.

A "vulnerability" would be something like the one Microsoft introduced into all versions of the Windows IP stack after 
Windows 2003 and Windows XP wherein "the Operating System will execute the payload of an IP packet with SYSTEM 
authority and SYSTEM integrity when a crafted IP packet is received in which a certain combination of invalid and 
reserved header bits are set".

> -----Original Message-----
> From: Ruairi Carroll [mailto:ruairi.carroll () gmail com]
> Sent: Saturday, 20 September, 2014 14:57
> To: Keith Medcalf
> Cc: Daniel Sterling; Bacon Zombie; nanog () nanog org
> Subject: Re: Saying goodnight to my GSR
>
> > And what, exactly, is it vulnerable to?
>
> Most of these, I'd imagine:
> http://www.cisco.com/c/en/us/td/docs/ios/12_0s/release/ntes/120SCAVS.html
>
>
> On 20 September 2014 14:25, Keith Medcalf <kmedcalf () dessus com> wrote:
>
>
>
>       And what, exactly, is it vulnerable to?
>
>
>       >-----Original Message-----
>       >From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Daniel
> Sterling
>       >Sent: Saturday, 20 September, 2014 12:06
>       >To: Bacon Zombie
>       >Cc: nanog () nanog org
>       >Subject: Re: Saying goodnight to my GSR
>       >
>       >Again, you're focusing resentment towards someone who did the right
>       >thing. Negative reinforcement will discourage others from taking
>       >action and will discourage them from encouraging others to take
>       >action.
>       >
>       >Let's focus on who still has vulnerable equipment and how to help
>       >them. Let's not shame people who did the right thing
>       >
>       >Thanks,
>       >Dan
>       >
>       >
>       >On Sat, Sep 20, 2014 at 1:59 PM, Bacon Zombie
> <baconzombie () gmail com>
>       >wrote:
>       >> OK thank you for decommissioning this.*
>       >>
>       >> * Only if you either had authority to do so for max 1 year or had
> no
>       >> authority but were fighting to have it patches or replaced for
> years.
>       >> On Sep 20, 2014 7:54 PM, "Daniel Sterling"
> <sterling.daniel () gmail com>
>       >> wrote:
>       >>
>       >>> On Sat, Sep 20, 2014 at 1:37 PM, Bacon Zombie
> <baconzombie () gmail com>
>       >>> wrote:
>       >>>
>       >>> > So when was the last time you patched this internet facing
> device?
>       >>>
>       >>> Isn't the better response, thank you for decommissioning it?
>       >>>
>       >>> Can someone from cisco set up a poll or release whatever numbers
> they
>       >>> have about how many of these old devices are still in service?
>       >>>
>       >>> Thanks,
>       >>> Dan
>       >>>