CERT Vulnerability Note VU#412115

Basil Hussain basil.hussain at kodakweddings.com
Fri Jan 17 09:44:01 CST 2003


Hi,

For those who may not have seen this CERT note, I'm forwarding a link to the
list.

Basically, it boils down to the fact that certain network cards chipsets
and/or drivers are padding under-sized IP packets with data from previously
seen network packets, and not null bytes (as the relevant RFC suggests).
Therefore, they pose a security risk (i.e. passwords may be uncovered, etc.)

I'm sure we all use SSH, SSL, et-al, of course, but I'm sure you'll be
relieved to know that it would appear both the chipsets and drivers (e100,
e1000, ANS) for Intel NICs that feature in Dell PowerEdge servers are not
vulnerable under Linux. CERT don't seem to have Broadcom in their vendor
list.

For more info, see the following links:

http://www.kb.cert.org/vuls/id/412115
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
http://www.kb.cert.org/vuls/id/JPLA-5BGP8L

By the way, an easy method to test for yourself whether any device on your
network is vulnerable is to send an ICMP Echo (ping) packet with a payload
of 1 byte, and then check the contents of the response packets with a tool
like tcpdump, snort, ethereal, etc. For example:

[basil at dev basil]$ ping -s 1 10.1.1.1
PING 10.1.1.1 (10.1.1.1) from 10.1.1.30 : 1(29) bytes of data.
9 bytes from 10.1.1.1: icmp_seq=0 ttl=255
9 bytes from 10.1.1.1: icmp_seq=1 ttl=255
9 bytes from 10.1.1.1: icmp_seq=2 ttl=255
9 bytes from 10.1.1.1: icmp_seq=3 ttl=255

--- 10.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss

In the captured ICMP Echo Reply packet, you should then see that the last 17
bytes of data should be null bytes, like below. If not, the device may be
vulnerable.

00 B0 D0 EE | 8A BE 00 03 | 6B F6 6C 35 | 08 00 45 00 [........k.l5..E.]
00 1D E5 D8 | 00 00 FF 01 | FF 47 C0 A8 | 2A C9 C0 A8 [.........G..*...]
2A A5 00 00 | 93 FF 02 00 | 09 00 61 00 | 00 00 00 00 [*.........a.....]
00 00 00 00 | 00 00 00 00 | 00 00 00 00 |             [............]

(By the way, this packet data example is not from the previous ping command
above. I captured it from pinging a Cisco PIX 515 firewall from a Windows
2000 machine.)

Hope this info was of use to everyone.

Regards,

Basil Hussain
---------------------------------------
Internet Developer, Kodak Weddings
E-Mail: basil.hussain at kodakweddings.com




More information about the Linux-PowerEdge mailing list