Several third-party device drivers that ship with Windows Server 2003 contain a vulnerability that causes them to leak potentially sensitive data during TCP transmissions.
The flaw does not affect any Microsoft Corp. drivers; it has only been found in drivers provided by outside vendors.
The vulnerability is quite similar to a class of flaws first described in a paper published by @stake Inc. in January. The problem occurs when messages transmitted between two machines are padded with arbitrary data in order to bring their byte size in line with the accepted standard. The @stake paper described the problem as occurring in Ethernet frames in ICMP messages. But researchers at Next Generation Security Software Ltd. recently discovered that the issue also is present in some TCP transmissions from device drivers.
The problem is that when Ethernet frames dont meet the minimum size requirement specified by the standard, the device drivers pad the frames with data pulled from previously used buffers without first cleaning that section of memory. This means that whatever information was in that buffer is then sent as part of the new transmission. The NGSS researchers observed the behavior most frequently during the closure of a TCP connection when the FIN and ACK packets are exchanged. Among the data the researchers were able to observe were e-mail passwords.
There are several drivers affected by the TCP version of this vulnerability, including those for Advanced Micro Devices Inc.s PCNet network cards and Via Technologies Inc.s Rhine II compatible network cards, according to the bulletin published by NGSS, based in Surrey, England. Both of these drivers are digitally signed by Microsoft and are included on the Windows Server 2003 installation CD.
According to a Microsoft statement on the issue, “Microsoft does not ship any Microsoft written drivers that contain the vulnerability. However, we have found some third party drivers and samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation and are working with third parties, and have included tests for this issue in our driver certification program.”
