Flaw Found in Ethernet Device Drivers

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,809353,00.asp

January 6, 2003

Security researchers have discovered a serious vulnerability that may
be present in many Ethernet device drivers that is causing the devices
to broadcast sensitive information over networks.

According to the IEEE's Ethernet standard, packets transmitted on an
Ethernet network should be a minimum of 46 bytes. If, as sometimes
happens with protocols such as IP, a higher layer protocol requires
less than 46 bytes, the Ethernet frames are supposed to be padded with
null data. However, researchers at @stake Inc., in Cambridge, Mass.,
have discovered that many drivers instead pad packets with data from
previously transmitted Ethernet frames.

This results in the device sending out sensitive information to other
machines on the same Ethernet network. The type of data sent depends
upon the device driver implementation, but it can range from data
housed in the dynamic kernel memory, to static system memory allocated
to the driver, to a hardware buffer located on the network interface
card.

Thanks to some vagueness in the standards defining IP datagram
transmission on Ethernet networks, it's not entirely clear exactly how
the padding should be done. Some implementations do it on the NIC,
while others handle it in the software device driver and still others
do it in a separate layer 2 stack, @stake said.

"This information leakage vulnerability is trivial to exploit and has
potentially devastating consequences. Several different variants of
this implementation flaw result in this vulnerability," the @stake
researchers wrote in their paper on the flaw, released Monday. "The
Linux, NetBSD and Microsoft Windows operating systems are known to
have vulnerable link layer implementations, and it is extremely likely
that other operating systems are also affected."

The most likely exploitation of the vulnerability would be for an
attacker to send ICMP (Internet Control Messaging Protocol) echo
requests to a vulnerable machine. The machine would then send back
replies containing portions of the device's memory. In tests, the
researchers found that most often the pad data sent in error contains
portions of network traffic that the vulnerable device is handling.

An attacker could use that information to plan further attacks on the
vulnerable machine.

"The number of affected systems is staggering, and the number of
vulnerable systems used as critical network infrastructure terrifying.  
The security of proprietary network devices is particularly
questionable," the researchers wrote in conclusion to their paper.

The CERT Coordination Center has posted on its Web site a list of
vendors whose products may be affected by this vulnerability. However,
the vast majority of them apparently haven't responded to information
about the flaw, so it's not clear exactly which devices are
vulnerable. The CERT list is available here.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.