[NEWS] Etherleak: Ethernet Frame Padding Information Leakage

From: support@securiteam.com
Date: 01/07/03

  • Next message: support@securiteam.com: "[REVS] "Vulnerabilities in your code" Paper Released" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 7 Jan 2003 10:55:36 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Etherleak: Ethernet Frame Padding Information Leakage
    ------------------------------------------------------------------------

    SUMMARY

    Multiple platform Ethernet Network Interface Card (NIC) device drivers
    incorrectly handle frame padding, allowing an attacker to view slices of
    previously transmitted packets or portions of kernel memory. This
    vulnerability is the result of incorrect implementations of RFC
    requirements and poor programming practices, the combination of which
    results in several variations of this information leakage vulnerability.

    The simplest attack using this vulnerability would be to send ICMP echo
    messages to a machine with a vulnerable Ethernet driver. Portions of
    kernel memory will be returned to the attacker in the padding of the reply
    messages. During testing we have found that the portions returned are
    typically snippets of network traffic that the vulnerable machine is
    handling. This attack can allow an attacker to see portions of the traffic
    that a router or firewall is handling on network segments the attacker has
    no direct access too. It is important to note that the attacker must be on
    the same Ethernet network as the vulnerable machine to receive the
    Ethernet frames.

    DETAILS

    @stake has prepared a detailed report on this issue. The vulnerability is
    explored in its various manifestations through code examples and packet
    captures.

    Report available at:
     <www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf>
    www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf

    Vendor Response:
    Multiple platform and hardware vendors were contacted via the CERT
    Coordination Center on 06/25/02. Detailed vendor response information is
    available in CERT vulnerability note VU#412115.

    Recommendation:
    Contact the vendor of your Ethernet device drivers or your hardware vendor
    for a patch.

    End to end encryption technologies such as SSL, IPSEC, and SSH should be
    used when transmitting sensitive data over a network. Using encryption
    will help protect against this issue partly. It is not a complete solution
    because the kernel data leaked in the Ethernet frame padding is not always
    the IP packet data portion of a previous frame. Sometimes it is
    unencrypted IP header information or other kernel memory.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.atstake.com/research/advisories/2003/a010603-1.txt>
    http://www.atstake.com/research/advisories/2003/a010603-1.txt

    The information has been provided by <mailto:ofir@sys-security.com> Ofir
    Arkin and Josh Anderson of @Stake.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages