<<< Date Index >>>     <<< Thread Index >>>

UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network device drivers reuse old frame buffer data to pad packets



To: announce@xxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject:                UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network 
device drivers reuse old frame buffer data to pad packets
Advisory number:        CSSA-2003-SCO.21
Issue date:             2003 September 26
Cross reference:        sr866216 fz521367 erg712090
______________________________________________________________________________


1. Problem Description

        Many network device drivers reuse old frame buffer data
        to pad packets, resulting in an information leakage
        vulnerability that may allow remote attackers to harvest
        sensitive information from affected devices. 

        The Ethernet standard (IEEE 802.3) specifies a minimum
        data field size of 46 bytes. If a higher layer protocol
        such as IP provides packet data that is smaller than 46
        bytes, the device driver must fill the remainder of the
        data field with a "pad". For IP datagrams, RFC1042 specifies
        that "the data field should be padded (with octets of zero)
        to meet the IEEE 802 minimum frame size requirements."

        Researchers from @Stake have discovered that, contrary to
        the recommendations of RFC1042, many Ethernet device drivers
        fail to pad frames with null bytes. Instead, these device
        drivers reuse previously transmitted frame data to pad
        frames smaller than 46 bytes. This constitutes an information
        leakage vulnerability that may allow remote attackers to
        harvest potentially sensitive information. 

        For detailed information on this research, please read 
        @Stake's "EtherLeak: Ethernet frame padding information
        leakage", available at
        
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf

        The Common Vulnerabilities and Exposures (CVE) project has
        assigned the following name CAN-2003-0001 for this issue.
        This is a candidate for inclusion in the CVE list
        (http://cve.mitre.org), which standardizes names for
        security problems. 

2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.3          nics package

        UnixWare 7.1.1          /etc/conf/pack.d/dlpi/Driver.o
                                /etc/inst/nd/dlpi/Driver.o

        Open UNIX 8.0.0         /etc/conf/pack.d/dlpi/Driver.o
                                /etc/inst/nd/dlpi/Driver.o


3. Solution

        The proper solution is to install the latest packages.


4. UnixWare 7.1.3

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.21

        4.2 Verification

        MD5 (nics.image) = 650144e22bfa3aa666d1eabe9bb6f151

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Upgrade the affected binaries with the following sequence:

                1. Download the nics.image file to the /tmp directory on your 
machine.

                2. As root, uncompress the file and add the package to your 
system
                using these commands:

                $ su
                Password: <type your root password>
                # uncompress /tmp/nics.image
                # pkgadd -d /tmp/nics.image
                # rm /tmp/nics.image

5. UnixWare 7.1.1

        5.1 First install Maintaince Pack 3. This fix will be 
            included in Maintaince Pack 4.
 
        5.2 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.21

        5.3 Verification

        MD5 (erg712090.pkg.Z) = c299a961be84dbcca7a77dda08f0a8c4

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        5.4 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712090.pkg.Z to the /var/spool/pkg directory

        # uncompress /var/spool/pkg/erg712090.pkg.Z
        # pkgadd -d /var/spool/pkg/erg712090.pkg


6. Open UNIX 8.0.0

        6.1 First install Maintaince Pack 6. 

        6.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2003-SCO.21

        6.2 Verification

        MD5 (erg712090.pkg.Z) = c299a961be84dbcca7a77dda08f0a8c4

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        6.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712090.pkg.Z to the /var/spool/pkg directory

        # uncompress /var/spool/pkg/erg712090.pkg.Z
        # pkgadd -d /var/spool/pkg/erg712090.pkg


7. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001 
                
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf 
                http://www.atstake.com/research/advisories/2003/a010603-1.txt 
                http://www.nextgenss.com/advisories/etherleak-2003.txt 
                http://www.ietf.org/rfc/rfc1042.txt

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr866216 fz521367
        erg712090.


8. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


9. Acknowledgments

         SCO would like to thank Ofir Arkin and Josh Anderson from
         @Stake for their research.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj90zgcACgkQaqoBO7ipriFagwCgqMA/VriVmZXgjyCQ1y9LJv3y
xUoAnREQyrxRAXdDhgXUZDi3DuB7FPOh
=uRMx
-----END PGP SIGNATURE-----