[ISN] Flaw Found in Ethernet Device Drivers

From: InfoSec News (isnat_private)
Date: Tue Jan 07 2003 - 01:28:48 PST

  • Next message: InfoSec News: "[ISN] Experts See Vulnerability as Outsiders Code Software"

    January 6, 2003
    Security researchers have discovered a serious vulnerability that may
    be present in many Ethernet device drivers that is causing the devices
    to broadcast sensitive information over networks.
    According to the IEEE's Ethernet standard, packets transmitted on an
    Ethernet network should be a minimum of 46 bytes. If, as sometimes
    happens with protocols such as IP, a higher layer protocol requires
    less than 46 bytes, the Ethernet frames are supposed to be padded with
    null data. However, researchers at @stake Inc., in Cambridge, Mass.,
    have discovered that many drivers instead pad packets with data from
    previously transmitted Ethernet frames.
    This results in the device sending out sensitive information to other
    machines on the same Ethernet network. The type of data sent depends
    upon the device driver implementation, but it can range from data
    housed in the dynamic kernel memory, to static system memory allocated
    to the driver, to a hardware buffer located on the network interface
    Thanks to some vagueness in the standards defining IP datagram
    transmission on Ethernet networks, it's not entirely clear exactly how
    the padding should be done. Some implementations do it on the NIC,
    while others handle it in the software device driver and still others
    do it in a separate layer 2 stack, @stake said.
    "This information leakage vulnerability is trivial to exploit and has
    potentially devastating consequences. Several different variants of
    this implementation flaw result in this vulnerability," the @stake
    researchers wrote in their paper on the flaw, released Monday. "The
    Linux, NetBSD and Microsoft Windows operating systems are known to
    have vulnerable link layer implementations, and it is extremely likely
    that other operating systems are also affected."
    The most likely exploitation of the vulnerability would be for an
    attacker to send ICMP (Internet Control Messaging Protocol) echo
    requests to a vulnerable machine. The machine would then send back
    replies containing portions of the device's memory. In tests, the
    researchers found that most often the pad data sent in error contains
    portions of network traffic that the vulnerable device is handling.
    An attacker could use that information to plan further attacks on the
    vulnerable machine.
    "The number of affected systems is staggering, and the number of
    vulnerable systems used as critical network infrastructure terrifying.  
    The security of proprietary network devices is particularly
    questionable," the researchers wrote in conclusion to their paper.
    The CERT Coordination Center has posted on its Web site a list of
    vendors whose products may be affected by this vulnerability. However,
    the vast majority of them apparently haven't responded to information
    about the flaw, so it's not clear exactly which devices are
    vulnerable. The CERT list is available here.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 04:56:54 PST