SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#412115

Network device drivers reuse old frame buffer data to pad packets

Overview

Many network device drivers reuse old frame buffer data to pad packets, resulting in an information leakage vulnerability that may allow remote attackers to harvest sensitive information from affected devices.

I. Description

The Ethernet standard (IEEE 802.3) specifies a minimum data field size of 46 bytes. If a higher layer protocol such as IP provides packet data that is smaller than 46 bytes, the device driver must fill the remainder of the data field with a "pad". For IP datagrams, RFC1042 specifies that "the data field should be padded (with octets of zero) to meet the IEEE 802 minimum frame size requirements."

Researchers from @Stake have discovered that, contrary to the recommendations of RFC1042, many Ethernet device drivers fail to pad frames with null bytes. Instead, these device drivers reuse previously transmitted frame data to pad frames smaller than 46 bytes. This constitutes an information leakage vulnerability that may allow remote attackers to harvest potentially sensitive information. Depending upon the implementation of an affected device driver, the leaked information may originate from dynamic kernel memory, from static system memory allocated to the device driver, or from a hardware buffer located on the network interface card.

For detailed information on this research, please read @Stake's "EtherLeak: Ethernet frame padding information leakage", available at


This vulnerability may also affect link layer networking protocols other than Ethernet.

II. Impact

This vulnerability allows remote attackers to harvest potentially sensitive information from network traffic. In some network environments, this vulnerability can also be used to circumvent technologies that divide networks into separate domains, such as VLANs and routers.

III. Solution

Apply a patch from your vendor


For vendor-specific information regarding vulnerability status and patch availability, please consult the Systems Affected section of this document

Use encryption to protect sensitive data

By using encryption to protect network traffic, vulnerable sites can greatly reduce the impact of this vulnerability. Affected device drivers will still leak information, but fragments of encrypted information will be useless to attackers. Note that this workaround will not protect sensitive information leaked from non-network sources such as kernel memory.

Systems Affected

VendorStatusDate NotifiedDate Updated
3ComUnknown3-Feb-2003
AlcatelUnknown3-Jan-2003
Apple Computer Inc.Not Vulnerable10-Jan-2003
AvayaUnknown3-Jan-2003
BorderwareUnknown14-Jan-2003
BSDIUnknown3-Jan-2003
Check PointUnknown14-Jan-2003
Cisco Systems Inc.Unknown24-Mar-2003
ClavisterNot Vulnerable16-Jan-2003
Computer AssociatesUnknown3-Feb-2003
ConectivaUnknown3-Jan-2003
Cray Inc.Unknown17-Jan-2003
D-Link SystemsUnknown3-Jan-2003
Data GeneralUnknown3-Jan-2003
DebianVulnerable25-Jul-2003
eSoftUnknown14-Jan-2003
F5 NetworksNot Vulnerable3-Jan-2003
FreeBSDUnknown3-Jan-2003
FujitsuUnknown3-Jan-2003
Global Technology AssociatesUnknown14-Jan-2003
Guardian Digital Inc. Vulnerable24-Mar-2003
Hewlett-Packard CompanyVulnerable25-Jul-2003
HitachiNot Vulnerable6-Jan-2003
IBMNot Vulnerable10-Jan-2003
IntelVulnerable21-Apr-2003
IntotoUnknown14-Jan-2003
IP FilterUnknown14-Jan-2003
Juniper NetworksUnknown3-Jan-2003
LachmanUnknown3-Jan-2003
LinksysUnknown14-Jan-2003
Lotus SoftwareUnknown3-Jan-2003
Lucent TechnologiesUnknown3-Jan-2003
MandrakeSoftVulnerable25-Jul-2003
Microsoft CorporationUnknown25-Jul-2003
MontaVista SoftwareUnknown3-Jan-2003
National Semiconductor CorporationNot Vulnerable16-Jan-2003
NEC CorporationNot Vulnerable3-Jan-2003
NetBSDUnknown3-Jan-2003
Netfilter.orgUnknown14-Jan-2003
NetScreenUnknown3-Jan-2003
Network ApplianceVulnerable8-Jan-2003
NokiaUnknown3-Jan-2003
Nortel NetworksUnknown3-Jan-2003
NovellUnknown14-Jan-2003
OpenBSDUnknown3-Jan-2003
Openwall GNU/*/LinuxUnknown3-Jan-2003
Red Hat Inc.Vulnerable31-Mar-2003
Redback Networks Inc.Unknown3-Jan-2003
Riverstone NetworksUnknown3-Jan-2003
Secure Computing CorporationUnknown14-Jan-2003
SecureWorxUnknown14-Jan-2003
SequentUnknown3-Jan-2003
SGIUnknown9-Jun-2003
Sony CorporationUnknown3-Jan-2003
StonesoftUnknown14-Jan-2003
Sun Microsystems Inc.Vulnerable3-Feb-2003
SuSE Inc.Unknown3-Jan-2003
Symantec CorporationUnknown14-Jan-2003
The SCO Group (SCO Linux)Unknown4-Apr-2003
The SCO Group (SCO UnixWare)Unknown4-Apr-2003
UnisysUnknown3-Jan-2003
WatchGuardUnknown14-Jan-2003
Wind River Systems Inc.Unknown3-Jan-2003
WirexUnknown3-Jan-2003
Xerox CorporationVulnerable9-Jun-2003
ZyXELNot Vulnerable24-Jul-2003

References


http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
http://www.atstake.com/research/advisories/2003/a010603-1.txt
http://www.nextgenss.com/advisories/etherleak-2003.txt
http://www.ietf.org/rfc/rfc1042.txt

Credit

The CERT/CC thanks Ofir Arkin and Josh Anderson for their discovery and analysis of this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:2003-01-06
Date First Published:2003-01-06
Date Last Updated:2003-07-25
CERT Advisory: 
CVE-ID(s):CAN-2003-0001
NVD-ID(s):CAN-2003-0001
US-CERT Technical Alerts: 
Metric:13.50
Document Revision:34

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader