UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network device drivers reuse old frame buffer data to pad packets
To: announce@xxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx
full-disclosure@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network
device drivers reuse old frame buffer data to pad packets
Advisory number: CSSA-2003-SCO.21
Issue date: 2003 September 26
Cross reference: sr866216 fz521367 erg712090
______________________________________________________________________________
1. Problem Description
Many network device drivers reuse old frame buffer data
to pad packets, resulting in an information leakage
vulnerability that may allow remote attackers to harvest
sensitive information from affected devices.
The Ethernet standard (IEEE 802.3) specifies a minimum
data field size of 46 bytes. If a higher layer protocol
such as IP provides packet data that is smaller than 46
bytes, the device driver must fill the remainder of the
data field with a "pad". For IP datagrams, RFC1042 specifies
that "the data field should be padded (with octets of zero)
to meet the IEEE 802 minimum frame size requirements."
Researchers from @Stake have discovered that, contrary to
the recommendations of RFC1042, many Ethernet device drivers
fail to pad frames with null bytes. Instead, these device
drivers reuse previously transmitted frame data to pad
frames smaller than 46 bytes. This constitutes an information
leakage vulnerability that may allow remote attackers to
harvest potentially sensitive information.
For detailed information on this research, please read
@Stake's "EtherLeak: Ethernet frame padding information
leakage", available at
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following name CAN-2003-0001 for this issue.
This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for
security problems.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 nics package
UnixWare 7.1.1 /etc/conf/pack.d/dlpi/Driver.o
/etc/inst/nd/dlpi/Driver.o
Open UNIX 8.0.0 /etc/conf/pack.d/dlpi/Driver.o
/etc/inst/nd/dlpi/Driver.o
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.21
4.2 Verification
MD5 (nics.image) = 650144e22bfa3aa666d1eabe9bb6f151
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Upgrade the affected binaries with the following sequence:
1. Download the nics.image file to the /tmp directory on your
machine.
2. As root, uncompress the file and add the package to your
system
using these commands:
$ su
Password: <type your root password>
# uncompress /tmp/nics.image
# pkgadd -d /tmp/nics.image
# rm /tmp/nics.image
5. UnixWare 7.1.1
5.1 First install Maintaince Pack 3. This fix will be
included in Maintaince Pack 4.
5.2 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.21
5.3 Verification
MD5 (erg712090.pkg.Z) = c299a961be84dbcca7a77dda08f0a8c4
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.4 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712090.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712090.pkg.Z
# pkgadd -d /var/spool/pkg/erg712090.pkg
6. Open UNIX 8.0.0
6.1 First install Maintaince Pack 6.
6.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2003-SCO.21
6.2 Verification
MD5 (erg712090.pkg.Z) = c299a961be84dbcca7a77dda08f0a8c4
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
6.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712090.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712090.pkg.Z
# pkgadd -d /var/spool/pkg/erg712090.pkg
7. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
http://www.atstake.com/research/advisories/2003/a010603-1.txt
http://www.nextgenss.com/advisories/etherleak-2003.txt
http://www.ietf.org/rfc/rfc1042.txt
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr866216 fz521367
erg712090.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
9. Acknowledgments
SCO would like to thank Ofir Arkin and Josh Anderson from
@Stake for their research.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj90zgcACgkQaqoBO7ipriFagwCgqMA/VriVmZXgjyCQ1y9LJv3y
xUoAnREQyrxRAXdDhgXUZDi3DuB7FPOh
=uRMx
-----END PGP SIGNATURE-----