This is hardly earth-shattering news. You can see this happening every time you sniff a LAN. Empty TCP segments (e.g. acks) with six bytes of "random" data. The only thing the report points out is that the data may previously have been used on another interface or it may be other non-network data, although I suspect that the latter is highly unlikely since NIC ring buffers would generally be pre-allocated early on in the driver initialisation code. I could be wrong but I would expect a NIC driver to block or drop if the TX or RX ring was full, rather than try and get a new buffer allocated. Where the random data is network data... well on shared media you should assume it's already been sniffed anyway, that's what ssh is for :-) Gotta go now, I've got a CCNP exam in an hour, wish me luck. rgds Marc
The Long and Winding Road wrote: > > saw this one come through today. > > I checked the link down at the bottom of the page. I thought it quite > interesting that Cisco and Microsoft are noted as "not vulnerable" while > just about every *nix out there is listed as "unknown" One sad note - my > firewall of choice is shown as "unknown" also. > > I am presuming that testing is still going on with all these other products. > "unknown" may not necessarily mean "vulnerable" > > ------- > > *CERT WARNS OF POTENTIALLY WIDESPREAD VULNERABILITY > By SWD Staff > The Computer Emergency Response Team (CERT) Monday warned of a > vulnerability affecting Ethernet device driver software running on > multiple platforms that could allow a remote attacker to harvest > potentially sensitive information from network traffic. > > A research paper by information security firm @stake says, "Multiple > platform Ethernet Network Interface Card (NIC) device drivers incorrectly > handle frame padding, allowing an attacker to view slices of previously > transmitted packets or portions of kernel memory. This vulnerability is > the result of incorrect implementations of RFC requirements and poor > programming practices, the combination of which results in several > variations of this information leakage vulnerability." > > It "is trivial to exploit and has potentially devastating consequences. > Several different variants of this implementation flaw result in this > vulnerability," @stake continues. "The number of affected systems is > staggering, and the number of vulnerable systems used as critical network > infrastructure is terrifying." > > CERT recommends applying patches as soon as they are available and using > encryption to protect network traffic, though it won't protect sensitive > information leaked from non-network sources, such as kernel memory. > > For an updated list of affected vendors, please consult the CERT > vulnerability note. > http://www.kb.cert.org/vuls/id/412115 > http:[EMAIL PROTECTED]/research/advisories/2003/index.html#010603-1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60695&t=60687 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
