Vendors mum on Ethernet driver warnings
Despite being informed six months ago of a potentially serious security hole that may exist in Ethernet device drivers, many leading software and hardware manufacturers have yet to indicate whether their products contain the vulnerability.
The vulnerability concerns the way in which NIC (network interface card) device drivers transmit data from one machine to another on a Ethernet network.
According to standards published by the Institute of Electrical and Electronics Engineers Inc. (IEEE), streams of information sent over an Ethernet network should be organized into "frames" that are at least 46 bytes long.
In some instances where higher layer protocols such as IP (Internet Protocol) provide packet data that is less than 46 bytes long, the software device drivers are supposed to fill in the empty space in the Ethernet frame with unusable data -- a process known as "padding" the frame.
However, researchers at @stake Inc., a security consulting company based in Cambridge, Massachusetts, found that many device drivers actually pull potentially sensitive information from the machines on which they are installed to pad the frames.
The information might be taken from memory allocated to the device driver, from the operating system kernel or from a buffer on the NIC hardware, with different software drivers pulling the filler content from different sources, according to Ofir Arkin, a former @stake researcher who helped discover and report the problem.
In testing with software drivers from a number of leading software vendors, Arkin and his colleagues pulled passwords and Web browser session information from the filler information, according to Arkin.
"We were able to extract basically whatever information was sent to us," Arkin said.
Although Arkin admits that the filler information would not be accessible to someone trying to access the network from outside or useful to "script kiddies" (novice hackers) he said experienced hackers would have little trouble piecing the bits of information together. That information could allow them to gain access to prohibited parts of a corporate network or an individual employee's network and Internet accounts.
"For an experienced hacker, this is a gold mine," Arkin said.
Other security experts agreed.
"There are some instances that @stake reported that may be serious, particularly where information is leaked from the dynamic kernel memory. That information could contain tidbits of data that, when assembled, could be interesting to an attacker," said Jeffrey P. Lanza of CERT Coordination Center, which notified manufacturers about the vulnerability in June and published a vulnerability note on the issue (VU#412115) on Monday.
Drivers for a variety of Linux and Unix distributions, including ones from RedHat Inc., Suse Linux AG, MandrakeSoft SA and Conectiva SA, contain the vulnerability, according to Arkin. In addition, at least one Windows driver for a PCMCIA (Personal Computer Memory Card International Association) Ethernet card from Compaq Computer Corp. (since acquired by Hewlett-Packard Co.) was found to contain the vulnerability during testing conducted by @stake, according to Arkin.
As of Friday, none of those vendors had responded to CERT about the status of their products, according to information
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
