Etherleak: Ethernet frame padding information leakage (A010603-1) Jan 06 2003 05:53PM
@stake Advisories (advisories atstake com)
Hash: SHA1

@stake, Inc.

Security Advisory

Advisory Name: Etherleak: Ethernet frame padding information leakage
Release Date: 01/06/2003
Application: Ethernet device driver software
Platform: Multiple
Severity: Information disclosure
Authors: Ofir Arkin <ofir (at) sys-security (dot) com [email concealed]>
Josh Anderson
Vendor Status: Multiple vendors alerted via CERT Coordination Center
CVE Candidate: CAN-2003-0001
Reference: www.atstake.com/research/advisories/2003/a010603-1.txt


Multiple platform ethernet Network Interface Card (NIC) device
drivers incorrectly handle frame padding, allowing an attacker to
view slices of previously transmitted packets or portions of kernel
memory. This vulnerability is the result of incorrect implementations
of RFC requirements and poor programming practices, the combination
of which results in several variations of this information leakage

The simplest attack using this vulnerability would be to send ICMP
echo messages to a machine with a vulnerable ethernet driver.
Portions of kernel memory will be returned to the attacker in the
padding of the reply messages. During testing we have found that
the portions returned are typically snippets of network traffic
that the vulnerable machine is handling. This attack can allow
an attacker to see portions of the traffic that a router or firewall
is handling on network segments the attacker has no direct access
too. It is important to note that the attacker must be on the
same ethernet network as the vulnerable machine to receive the
ethernet frames.


@stake has prepared a detailed report on this issue. The
vulnerability is explored in its various manifestations through
code examples and packet captures.

Report available at:


Vendor Response:

Multiple platform and hardware vendors were contacted via the CERT
Coordination Center on 06/25/02. Detailed vendor response
information is available in CERT vulnerability note VU#412115.


Contact the vendor of your ethernet device drivers or your hardware
vendor for a patch.

End to end encryption technologies such as SSL, IPSEC, and SSH
should be used when transmitting sensitive data over a network. Using
encryption will help protect against this issue partly. It is not a
complete solution because the kernel data leaked in the ethernet
frame padding is not always the IP packet data portion of a
previous frame. Sometimes it is unencrypted IP header information or
other kernel memory.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0001 Ethernet frame padding information leakage

@stake Vulnerability Reporting Policy:

@stake Advisory Archive: http://www.atstake.com/research/advisories/

PGP Key:

Copyright 2003 @stake, Inc. All rights reserved.

Version: PGP 8.0


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus