Flaw Found in Ethernet Device Drivers
According to the IEEEs Ethernet standard, packets transmitted on an Ethernet network should be a minimum of 46 bytes. If, as sometimes happens with protocols such as IP, a higher layer protocol requires less than 46 bytes, the Ethernet frames are supposed to be padded with null data. However, researchers at @stake Inc., in Cambridge, Mass., have discovered that many drivers instead pad packets with data from previously transmitted Ethernet frames.
This results in the device sending out sensitive information to other machines on the same Ethernet network. The type of data sent depends upon the device driver implementation, but it can range from data housed in the dynamic kernel memory, to static system memory allocated to the driver, to a hardware buffer located on the network interface card.
Thanks to some vagueness in the standards defining IP datagram transmission on Ethernet networks, its not entirely clear exactly how the padding should be done. Some implementations do it on the NIC, while others handle it in the software device driver and still others do it in a separate layer 2 stack, @stake said.
"This information leakage vulnerability is trivial to exploit and has potentially devastating consequences. Several different variants of this implementation flaw result in this vulnerability," the @stake researchers wrote in their paper on the flaw, released Monday. "The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."
The most likely exploitation of the vulnerability would be for an attacker to send ICMP (Internet Control Messaging Protocol) echo requests to a vulnerable machine. The machine would then send back replies containing portions of the devices memory. In tests, the researchers found that most often the pad data sent in error contains portions of network traffic that the vulnerable device is handling.
An attacker could use that information to plan further attacks on the vulnerable machine.
"The number of affected systems is staggering, and the number of vulnerable systems used as critical network infrastructure terrifying. The security of proprietary network devices is particularly questionable," the researchers wrote in conclusion to their paper.
The CERT Coordination Center has posted on its Web site a list of vendors whose products may be affected by this vulnerability. However, the vast majority of them apparently havent responded to information about the flaw, so its not clear exactly which devices are vulnerable. The CERT list is available here.