[VulnWatch] Etherleak: Ethernet frame padding information leakage (A010603-1)

From: @stake Advisories (@stake)
Date: 01/06/03

  • Next message: Frog Man: "[VulnWatch] E-theni (PHP)"
    Date: Mon, 06 Jan 2003 12:24:19 -0500
    From: "@stake Advisories" <advisories@atstake.com>
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    @stake, Inc.
                                  www.atstake.com

                                 Security Advisory

    Advisory Name: Etherleak: Ethernet frame padding information leakage
     Release Date: 01/06/2003
      Application: Ethernet device driver software
         Platform: Multiple
         Severity: Information disclosure
          Authors: Ofir Arkin <ofir@sys-security.com>
                   Josh Anderson
    Vendor Status: Multiple vendors alerted via CERT Coordination Center
    CVE Candidate: CAN-2003-0001
        Reference: www.atstake.com/research/advisories/2003/a010603-1.txt

    Overview:

    Multiple platform ethernet Network Interface Card (NIC) device
    drivers incorrectly handle frame padding, allowing an attacker to
    view slices of previously transmitted packets or portions of kernel
    memory. This vulnerability is the result of incorrect implementations
    of RFC requirements and poor programming practices, the combination
    of which results in several variations of this information leakage
    vulnerability.

    The simplest attack using this vulnerability would be to send ICMP
    echo messages to a machine with a vulnerable ethernet driver.
    Portions of kernel memory will be returned to the attacker in the
    padding of the reply messages. During testing we have found that
    the portions returned are typically snippets of network traffic
    that the vulnerable machine is handling. This attack can allow
    an attacker to see portions of the traffic that a router or firewall
    is handling on network segments the attacker has no direct access
    too. It is important to note that the attacker must be on the
    same ethernet network as the vulnerable machine to receive the
    ethernet frames.

           
    Details:

    @stake has prepared a detailed report on this issue. The
    vulnerability is explored in its various manifestations through
    code examples and packet captures.

    Report available at:

    www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf

    Vendor Response:

    Multiple platform and hardware vendors were contacted via the CERT
    Coordination Center on 06/25/02. Detailed vendor response
    information is available in CERT vulnerability note VU#412115.

    Recommendation:

    Contact the vendor of your ethernet device drivers or your hardware
    vendor for a patch.

    End to end encryption technologies such as SSL, IPSEC, and SSH
    should be used when transmitting sensitive data over a network. Using
    encryption will help protect against this issue partly. It is not a
    complete solution because the kernel data leaked in the ethernet
    frame padding is not always the IP packet data portion of a
    previous frame. Sometimes it is unencrypted IP header information or
    other kernel memory.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2003-0001 Ethernet frame padding information leakage

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive: http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPhmc+Ee9kNIfAm4yEQKyjACgnvi0ZuRUb94nfcG0zMHPzl6XdZQAn1tG
    TXcUNSc0uLgCvhUp0vQAu7+J
    =3Dtx
    -----END PGP SIGNATURE-----



    Relevant Pages

    • Etherleak: Ethernet frame padding information leakage (A010603-1)
      ... Advisory Name: Etherleak: Ethernet frame padding information leakage ... Vendor Status: Multiple vendors alerted via CERT Coordination Center ... This vulnerability is the result of incorrect implementations ...
      (Bugtraq)
    • Re: charon vax emulator???
      ... Advisory Name: Etherleak: Ethernet frame padding information leakage ... Vendor Status: Multiple vendors alerted via CERT Coordination Center ... This vulnerability is the result of incorrect implementations ... Portions of kernel memory will be returned to the attacker in the ...
      (comp.os.vms)
    • [NEWS] Etherleak: Ethernet Frame Padding Information Leakage
      ... Multiple platform Ethernet Network Interface Card device drivers ... results in several variations of this information leakage vulnerability. ... kernel memory will be returned to the attacker in the padding of the reply ... Detailed vendor response information is ...
      (Securiteam)
    • [Full-disclosure] Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum
      ... opening XSS vulnerabilities in software that allows uploads. ... IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to ... Vendor Reaction ... leading to a cross-site-scripting vulnerability. ...
      (Full-Disclosure)
    • Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
      ... opening XSS vulnerabilities in software that allows uploads. ... IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to ... Vendor Reaction ... leading to a cross-site-scripting vulnerability. ...
      (Bugtraq)