Computerworld

Vendors mum on Ethernet driver warnings

Despite being informed six months ago of a potentially serious security hole that may exist in Ethernet device drivers, many leading software and hardware manufacturers have yet to indicate whether their products contain the vulnerability.

The vulnerability concerns the way in which NIC (network interface card) device drivers transmit data from one machine to another on a Ethernet network.

According to standards published by the Institute of Electrical and Electronics Engineers Inc. (IEEE), streams of information sent over an Ethernet network should be organized into "frames" that are at least 46 bytes long.

In some instances where higher layer protocols such as IP (Internet Protocol) provide packet data that is less than 46 bytes long, the software device drivers are supposed to fill in the empty space in the Ethernet frame with unusable data -- a process known as "padding" the frame.

However, researchers at @stake Inc., a security consulting company based in Cambridge, Massachusetts, found that many device drivers actually pull potentially sensitive information from the machines on which they are installed to pad the frames.

The information might be taken from memory allocated to the device driver, from the operating system kernel or from a buffer on the NIC hardware, with different software drivers pulling the filler content from different sources, according to Ofir Arkin, a former @stake researcher who helped discover and report the problem.

In testing with software drivers from a number of leading software vendors, Arkin and his colleagues pulled passwords and Web browser session information from the filler information, according to Arkin.

"We were able to extract basically whatever information was sent to us," Arkin said.

Although Arkin admits that the filler information would not be accessible to someone trying to access the network from outside or useful to "script kiddies" (novice hackers) he said experienced hackers would have little trouble piecing the bits of information together. That information could allow them to gain access to prohibited parts of a corporate network or an individual employee's network and Internet accounts.

"For an experienced hacker, this is a gold mine," Arkin said.

Other security experts agreed.

"There are some instances that @stake reported that may be serious, particularly where information is leaked from the dynamic kernel memory. That information could contain tidbits of data that, when assembled, could be interesting to an attacker," said Jeffrey P. Lanza of CERT Coordination Center, which notified manufacturers about the vulnerability in June and published a vulnerability note on the issue (VU#412115) on Monday.

Drivers for a variety of Linux and Unix distributions, including ones from RedHat Inc., Suse Linux AG, MandrakeSoft SA and Conectiva SA, contain the vulnerability, according to Arkin. In addition, at least one Windows driver for a PCMCIA (Personal Computer Memory Card International Association) Ethernet card from Compaq Computer Corp. (since acquired by Hewlett-Packard Co.) was found to contain the vulnerability during testing conducted by @stake, according to Arkin.

As of Friday, none of those vendors had responded to CERT about the status of their products, according to information on CERT's Web site.

The @stake report, entitled "EtherLeak: Ethernet frame padding information leakage" contains a list of more than 40 vulnerable device drivers for the Linux operating system alone.

Apple, Sun, Red Hat and Hewlett-Packard Co. did not respond to requests for comment on the vulnerability.

Another reason for the slow response may be that the vendors do not consider the problem to be serious because it can only be exploited internally, according to Chris Wysopal, director of research and development at @stake.

"They probably feel it's a minor issue. It's not something that somebody over the Internet is going to use to attack a firewall," Wysopal said.

That position may be overly optimistic, however.

"A lot of organizations internally have switched networks and may feel like, 'Employees can't look at the CEO's e-mail.' But it's quite possible using this vulnerability to use little bits of data, up to 17 bytes at a time, to view sensitive information," Wysopal said.

Although the contents of e-mail may be safe, passwords and other discrete pieces of information such as Points of Presence (POP) and Internet Message Access Protocol (IMAP) passwords could be captured by an internal hacker.

By collecting such filler information over the course of a couple of weeks, a large amount of sensitive network information could be snooped using the Ethernet card vulnerability, according to Wysopal.

"This is a type of problem that has just been lying dormant in a wide variety of products for many years," said Lanza.

"It's one of those issues that's pervasive enough that we want people to know about it so they think about it as a possible security vulnerability."

In some cases, the vulnerability described by @stake might even have been introduced in sample code supplied by the operating system vendor.

In its reply to CERT, Microsoft Corp. said that while none of the drivers that it ships contain the vulnerability, it may have published specifications and sample code that inadvertently encouraged third-party software developers to create Ethernet drivers for Windows that do.

"We have found samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue," Microsoft said in its response to CERT.

Although he lacked information about specific drivers, Wysopal said that if Microsoft's sample driver code contained the padding vulnerability, the flaw is likely to be widespread in Windows drivers.

"It's not uncommon, when writing a driver, to take the platform provider's sample code and modify it. That's par for the course. From the developer's perspective, some things are tough to get right without seeing a sample," Wysopal said.

Microsoft did not respond to a request for comment but said in its response to CERT that it had made corrections to the samples in its documentation and will include tests for the padding vulnerability issue in its driver certification process.

A similar "cut and paste" phenomenon may account for the large number of Ethernet drivers for Linux that exhibit the problem, Wysopal said. However, for nonprofit and for-profit Linux vendors, the problem may be harder to root out.

"For Linux, a particular driver could have been written five years ago with the vulnerability and you don't know where that person is any more," Wysopal said.

Asked about its plans to address the slow reaction from vendors, Lanza said that CERT has no immediate plans to get vendors to respond but may consider action if the dearth of information continues.

"If it goes on a while longer and we haven't heard from vendors, it would be worthwhile to send a notification," Lanza said.