Back to list
Etherleak: Ethernet frame padding information leakage (A010603-1)
Jan 06 2003 05:53PM
@stake Advisories (advisories atstake com)
-----BEGIN PGP SIGNED MESSAGE-----
Advisory Name: Etherleak: Ethernet frame padding information leakage
Release Date: 01/06/2003
Application: Ethernet device driver software
Severity: Information disclosure
Authors: Ofir Arkin <ofir (at) sys-security (dot) com [email concealed]>
Vendor Status: Multiple vendors alerted via CERT Coordination Center
CVE Candidate: CAN-2003-0001
Multiple platform ethernet Network Interface Card (NIC) device
drivers incorrectly handle frame padding, allowing an attacker to
view slices of previously transmitted packets or portions of kernel
memory. This vulnerability is the result of incorrect implementations
of RFC requirements and poor programming practices, the combination
of which results in several variations of this information leakage
The simplest attack using this vulnerability would be to send ICMP
echo messages to a machine with a vulnerable ethernet driver.
Portions of kernel memory will be returned to the attacker in the
padding of the reply messages. During testing we have found that
the portions returned are typically snippets of network traffic
that the vulnerable machine is handling. This attack can allow
an attacker to see portions of the traffic that a router or firewall
is handling on network segments the attacker has no direct access
too. It is important to note that the attacker must be on the
same ethernet network as the vulnerable machine to receive the
@stake has prepared a detailed report on this issue. The
vulnerability is explored in its various manifestations through
code examples and packet captures.
Report available at:
Multiple platform and hardware vendors were contacted via the CERT
Coordination Center on 06/25/02. Detailed vendor response
information is available in CERT vulnerability note VU#412115.
Contact the vendor of your ethernet device drivers or your hardware
vendor for a patch.
End to end encryption technologies such as SSL, IPSEC, and SSH
should be used when transmitting sensitive data over a network. Using
encryption will help protect against this issue partly. It is not a
complete solution because the kernel data leaked in the ethernet
frame padding is not always the IP packet data portion of a
previous frame. Sometimes it is unencrypted IP header information or
other kernel memory.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0001 Ethernet frame padding information leakage
@stake Vulnerability Reporting Policy:
@stake Advisory Archive: http://www.atstake.com/research/advisories/
Copyright 2003 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus