From owner-freebsd-doc Tue Jan 7 9:49:43 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 111E837B401 for ; Tue, 7 Jan 2003 09:49:41 -0800 (PST) Received: from motgate2.mot.com (motgate2.mot.com [136.182.1.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6323E43F08 for ; Tue, 7 Jan 2003 09:49:40 -0800 (PST) (envelope-from Charles.S.Libby@motorola.com) Received: from pobox3.mot.com (pobox3.mot.com [10.64.251.242]) by motgate2.mot.com (Motorola/Motgate2) with ESMTP id h07Ho1rB025085 for ; Tue, 7 Jan 2003 10:50:01 -0700 (MST) Received: [from il33exm02.wes.mot.com (il33exm02.wes.mot.com [154.56.3.102]) by pobox3.mot.com (MOT-pobox3 2.0) with ESMTP id KAA07646 for ; Tue, 7 Jan 2003 10:49:10 -0700 (MST)] Received: from motorola.com (DHCP129_188_138_177.corp.mot.com [129.188.138.177]) by il33exm02.wes.mot.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2656.59) id W391C89V; Tue, 7 Jan 2003 11:49:38 -0600 Message-ID: <3E1ABE0B.9070702@motorola.com> Date: Tue, 07 Jan 2003 05:46:19 -0600 From: "Charles S. Libby" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: doc@freebsd.org Subject: Ethernet layer flaw - Does Free BSD Have it? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org January 6, 2003 Flaw Found in Ethernet Device Drivers Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks. According to the IEEE's Ethernet standard, packets transmitted on an Ethernet network should be a minimum of 46 bytes. If, as sometimes happens with protocols such as IP, a higher layer protocol requires less than 46 bytes, the Ethernet frames are supposed to be padded with null data. However, researchers at @stake Inc., in Cambridge, Mass., have discovered that many drivers instead pad packets with data from previously transmitted Ethernet frames. This results in the device sending out sensitive information to other machines on the same Ethernet network. The type of data sent depends upon the device driver implementation, but it can range from data housed in the dynamic kernel memory, to static system memory allocated to the driver, to a hardware buffer located on the network interface card. Thanks to some vagueness in the standards defining IP datagram transmission on Ethernet networks, it's not entirely clear exactly how the padding should be done. Some implementations do it on the NIC, while others handle it in the software device driver and still others do it in a separate layer 2 stack, @stake said. Ethernet In It for the Long Haul First Multiport Gigabit Ethernet Probe Debuts ServerWorks Adds Gigabit Ethernet Capability (ExtremeTech) "This information leakage vulnerability is trivial to exploit and has potentially devastating consequences. Several different variants of this implementation flaw result in this vulnerability," the @stake researchers wrote in their paper on the flaw, released Monday. "The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected." The most likely exploitation of the vulnerability would be for an attacker to send ICMP (Internet Control Messaging Protocol) echo requests to a vulnerable machine. The machine would then send back replies containing portions of the device's memory. In tests, the researchers found that most often the pad data sent in error contains portions of network traffic that the vulnerable device is handling. An attacker could use that information to plan further attacks on the vulnerable machine. "The number of affected systems is staggering, and the number of vulnerable systems used as critical network infrastructure terrifying. The security of proprietary network devices is particularly questionable," the researchers wrote in conclusion to their paper. The CERT Coordination Center has posted on its Web site a list of vendors whose products may be affected by this vulnerability. However, the vast majority of them apparently haven't responded to information about the flaw, so it's not clear exactly which devices are vulnerable. The CERT list is available here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message