Slashdot Mirror
Flaw Found iIn Ethernet Device Drivers
Licensed2Hack writes "Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks.
Seems the device driver writers couldn't be bothered with a memset() call. Eweek has their typical (puffy, low on tech details) take on it here.
Since they don't specify the OS, I'm assuming these are drivers for Windows." It's actually Linux, *BSD, and Windows.
The Cert advisory says that MS doesn't ship any drivers with this vulnerability. This is a lot different from saying that MS systems are completely uneffected. We're going to have all double check against the actual driver being used by the system (when this list is complete of course) to find out if we are particularly affected by this.
If this bugs you, just make a change to the link layer drivers. Pad with nuls again, like it is supposed to, rather than garbage data. The downside to this is there will be a speed hit, since you are wasting time fscking with small packets to make sure they are secured. But, given the speed of modern systems vs the speed of ethernet, I highly doubt you'll notice.
Honestly, the big problem here is going to be MS. I doubt they'll introduce a fix at all.
It could be enough for someone to snag the SSH private keys for a connection.
Of course, since you have to read ethernet packets, they'd either be listening to traffic on a VPN, or they'd be on their target's LAN.
More reasons to be afraid of your company's BOFH.
What's this Submit thingy do?
Why is this "devastating"? People can sniff ethernet networks anyway? People don't rely solely on a switch for your network security, right?? (Who am I kidding? Of course someone does. Sigh.)
It's pretty bad when people who reply don't read the article, but shouldn't the poster himself at least read it? Excerpt from the article:
"The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."
The article submitters now can't be bothered to read the articles? You know, the bit in the article where it says "The Linux, NetBSD and Microsoft Windows operating systems are known to have vulnerable link layer implementations, and it is extremely likely that other operating systems are also affected."!?
Back to more important issues, like the actual content of the article ... I'm reading linux/net right now, anyone have any definite answers, and could point me to (say) source for where we do do this?
Great. I don't mean to sound like a troll, but @stake is really stretching for publicity here. 46 bytes? Do you realize how small the padding is? Yes, it's enough for a password, but keep in mind, that padding being sent out is transmitted from OLD FRAMES. These items have been transmitted before. Guess what kids? If you observe secure computing practices, such as using a encrypted login method (ssh comes to mind) and you mind your standard p's and q's, this problem should never be a PROBLEM. I am sorry, but as a professional that researches this stuff, I have to rate this vulnerability as a "really really low" and keep plugging on. In a perfect world, we would grab from urandom/random/null but this isn't a perfect world. Lets focus on remote root compromises, remote "system/admin" compromises, and lets also focus on getting IIS away from the industry. These are the REAL problems. Someone wake me up when @stake has a real advisory to give, something excellent that we are used to seeing from them, besides this trivial fluff they are going to over-hype.
/. but this will be the same position I give the Fortune 500 company I work for. /me wonders if my VP will mod me "troll" or "flamebait" =P
Mod me however you want, I'm a coward to
I am sure someone will rush to correct me if I am wrong about this.
In Murphy We Turst
On top of this, and everybody seems to be ignoring this basic fact, but after you get up to 18 bytes of information out of an ethernet packet, you *still* have to chain enough of these together to be a useful chunk of data. The problem drops significantly when you add more machines to the network, because it gets steadily harder and harder to put them together in order from the same machine. (Yeah, I know, you can use the mac or IP address to chain them together, but ethernet allows out-of-order packet delivery)
Like what I said? You might like my music
So here M$ gets look innocent and say, "It's nothing to do with us", while actually being guilty as sin for having an OS that uses loads of vulnerable drivers.
How is MS guilty for crappy code in other people's drivers now? They're not responsible for writing drivers for every single piece of hardware someone wants to run under Microsoft Windows. That would be the responsibility of the hardware vendors. ... and like it or not (and there are bits of the Win32 API I really do dislike), not all code that comes from Microsoft is utter crap with no redeeming qualities.
Oh, I really wish I could find a link to the Penny Arcade about "M$" right now too. :) Although I just realized I'm responding to an AC ...
Microsoft became responsible for other people's code the moment they got into the business of signing other people's code.
If Microsoft wants me to believe that drivers which have been approved and signed by Microsoft are any more trustworthy than drivers which haven't been signed and approved by Microsoft, then Microsoft need to accept responsibility for ensuring that is the case.
You can't say "don't use that code, I haven't approved it. Use this one instead..." and then say "well it's not my fault if the code I demand you use is broken, I didn't write it!"
The thing about things we don't know is we often don't know we don't know them.
Secondly, for security reasons, Windows ensures that no app will ever find remnants of another app's data in its memory space (all allocated memory is erased before is't given to the requester), which significantly reduces the risk that sensitive data would be transmitted.
please keep feeling safe because *n*x is so damn secure by defi^H^H^H^H religion.
Here is a clue for you.
This is about drivers, leaking kernel memory, not drivers leaking application memory.
Drivers are not applications, since drivers run in kernel space. Since memory is generally allocated in Linux by mmapping files, applications can not get "garbage data" from the operating system.
memset is part of the ISO/IEC 9899 standard for the C programming language. If your Windows library doesn't have it, complain to your vendor. This has nothing to do with Unix vs. Windows.
Han-Wen Nienhuys -- LilyPond
And hence one of the greatnesses of open source. We don't have to wait for them to do it. Someone can go in and clear up the issue in all the Ethernet drivers just like that. No muss, no fuss. Fixed drivers.
Malike Bamiyi wanted my assistance.
Don't forget that after the vendors fixed it, the new drivers have to be re-certified and signed by Microsoft or their Great OSes[tm] will bark on everyone installing them - which wouldn't shine a bright light on the vendor.
Last thing I remember was that having a new driver certified by Microsoft takes several weeks to months.
An interesting question aside: If so many drivers (if you believe in the article's wording) are affected, why did they pass the Microsoft quality/security "certification" in the first place?
Seems to me that their certification tests aren't worth the bits they're written on - probably they just check that the drivers don't crash the system and so on. (well, and sometimes, not even this.)
42. Easy. What is 32 + 8 + 2?
Good point. Personally, I think there is something fundamentally broken with the whole system. To have your story submitted, you have to submit it fast (Even though this news is actually 3 days old). To have your post modded up to +5 area it has to be very fast - i.e. too fast to actually read the article. Does this seem broken to anyone else?
Random is the New Order.