This is awfully strange. When would the "packet length described in the IP header be larger than the physical packet size?" I've never seen such a thing.
If what they are really trying to say is that the packet must go out on a data-link that has a minimum size and thus must be padded, then the description of the problem makes sense. I've seen that. For example when IP has a packet to send that is shorter than the Ethernet 64-byte minimum, then padding is required. And I have seen security issues with this. I have seen hosts (not routers though) pad with left over data that was sensitive. (I saw a password in the Ethernet pad once!) OK, I've typed enough to avoid the GroupStudy bug that filters URLs at the beginning of messages. I really wanted to say that the URL in the original message got chopped. The URL to the security advisory is: http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml Priscilla At 12:38 PM 2/28/02, Kaminski, Shawn G wrote: >Here's another one: > >Cisco Security Advisory: Data Leak with Cisco Express Forwarding Enabled > >Revision 1.0 > >For Public Release 2002 February 27 08:00 (UTC -0800) > >- -------------------------------------------------------------------------- > >Summary >======= > >All Cisco devices running Cisco IOS(r) and having Cisco Express Forwarding >(CEF) enabled can leak information from previous packets that have been >handled by the device. This can happen if the packet length described in the >IP header is bigger than the physical packet size. Packets like these will >be expanded to fit the IP length and, during that expansion, an information >leak may occur. Please note that an attacker can only collect parts of some >packets but not the whole session. > >No other Cisco product is vulnerable. Devices that are having fast switching >enabled are not affected by this vulnerability. > >The workaround for this vulnerability is to disable CEF. > >This advisory is available at the http://www.cisco.com/warp/public/707/ > >IOS-CEF-pub.shtml. > >Affected Products >================= > >All Cisco IOS releases that are supporting CEF are vulnerable. In order to >trigger this vulnerability CEF or dCEF must be enabled on the device. The >vulnerable Cisco IOS releases are (this is not an exhaustive list): > > * 11.1CC > * 12.0, 12.0S, 12.0T, 12.0ST > * 12.1, 12.1E, 12.1T > * 12.2, 12.2T > >No other Cisco products are affected. > >Details >======= > >When a router receives a packet where MAC level packet length is shorter >than is indicated by the IP level, the router will "extend" the packet to >the size indicated by the IP level. This extension will be done by padding >the packet with an arbitrary data. The issue here is that padding may >contain data from a previous packets that has not been erased. > >Although it is possible to trigger this vulnerability on command, it is not >possible to predict what information would be collected this way. It is not >possible for an attacker to selectively capture desired packets (for >example, packets with username and password combination). > >This vulnerability is specific to CEF. Fast switching is not affected by it. > >This vulnerability is documented as Cisco Bug ID CSCdu20643. For the Cisco >IOS 11.1CC image, this vulnerability is described as Cisco Bug ID >CSCdp58360. > >Impact >====== > >By sending malformed packets, and capturing them after they have been >processed by CEF, an attacker may find a remnants of a previous packets in >them. The remnant data may contain whatever the previous packet has carried. >That may be parts of a document, mail or any other content. > >Note that in an interactive session such as typing a password, characters >are sent one by one in separate packets. That drastically lowers the >probability that all packets will be captured. In addition, it is almost >certain that typed characters will be overwritten by the contents of the >attacking packets. > > >Shawn G. Kaminski >EDS Network Engineering - DowNET ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36830&t=36823 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
