For those who may not have seen this CERT note, I'm forwarding a link to the

Basically, it boils down to the fact that certain network cards chipsets
and/or drivers are padding under-sized IP packets with data from previously
seen network packets, and not null bytes (as the relevant RFC suggests).
Therefore, they pose a security risk (i.e. passwords may be uncovered, etc.)

I'm sure we all use SSH, SSL, et-al, of course, but I'm sure you'll be
relieved to know that it would appear both the chipsets and drivers (e100,
e1000, ANS) for Intel NICs that feature in Dell PowerEdge servers are not
vulnerable under Linux. CERT don't seem to have Broadcom in their vendor

For more info, see the following links:


By the way, an easy method to test for yourself whether any device on your
network is vulnerable is to send an ICMP Echo (ping) packet with a payload
of 1 byte, and then check the contents of the response packets with a tool
like tcpdump, snort, ethereal, etc. For example:

[basil at dev basil]$ ping -s 1
PING ( from : 1(29) bytes of data.
9 bytes from icmp_seq=0 ttl=255
9 bytes from icmp_seq=1 ttl=255
9 bytes from icmp_seq=2 ttl=255
9 bytes from icmp_seq=3 ttl=255

--- ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss

In the captured ICMP Echo Reply packet, you should then see that the last 17
bytes of data should be null bytes, like below. If not, the device may be

00 B0 D0 EE | 8A BE 00 03 | 6B F6 6C 35 | 08 00 45 00 [........k.l5..E.]
00 1D E5 D8 | 00 00 FF 01 | FF 47 C0 A8 | 2A C9 C0 A8 [.........G..*...]
2A A5 00 00 | 93 FF 02 00 | 09 00 61 00 | 00 00 00 00 [*.........a.....]
00 00 00 00 | 00 00 00 00 | 00 00 00 00 |             [............]

(By the way, this packet data example is not from the previous ping command
above. I captured it from pinging a Cisco PIX 515 firewall from a Windows
2000 machine.)

Hope this info was of use to everyone.


