From security@sco.com Sat Sep 27 23:31:40 2003 From: security@sco.com To: announce@lists.sco.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Fri, 26 Sep 2003 18:04:35 -0700 Reply-To: please_reply_to_security@sco.com Subject: UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network device drivers reuse old frame buffer data to pad packets To: announce@lists.sco.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network device drivers reuse old frame buffer data to pad packets Advisory number: CSSA-2003-SCO.21 Issue date: 2003 September 26 Cross reference: sr866216 fz521367 erg712090 ______________________________________________________________________________ 1. Problem Description Many network device drivers reuse old frame buffer data to pad packets, resulting in an information leakage vulnerability that may allow remote attackers to harvest sensitive information from affected devices. The Ethernet standard (IEEE 802.3) specifies a minimum data field size of 46 bytes. If a higher layer protocol such as IP provides packet data that is smaller than 46 bytes, the device driver must fill the remainder of the data field with a "pad". For IP datagrams, RFC1042 specifies that "the data field should be padded (with octets of zero) to meet the IEEE 802 minimum frame size requirements." Researchers from @Stake have discovered that, contrary to the recommendations of RFC1042, many Ethernet device drivers fail to pad frames with null bytes. Instead, these device drivers reuse previously transmitted frame data to pad frames smaller than 46 bytes. This constitutes an information leakage vulnerability that may allow remote attackers to harvest potentially sensitive information. For detailed information on this research, please read @Stake's "EtherLeak: Ethernet frame padding information leakage", available at http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf The Common Vulnerabilities and Exposures (CVE) project has assigned the following name CAN-2003-0001 for this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.3 nics package UnixWare 7.1.1 /etc/conf/pack.d/dlpi/Driver.o /etc/inst/nd/dlpi/Driver.o Open UNIX 8.0.0 /etc/conf/pack.d/dlpi/Driver.o /etc/inst/nd/dlpi/Driver.o 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.3 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.21 4.2 Verification MD5 (nics.image) = 650144e22bfa3aa666d1eabe9bb6f151 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Upgrade the affected binaries with the following sequence: 1. Download the nics.image file to the /tmp directory on your machine. 2. As root, uncompress the file and add the package to your system using these commands: $ su Password: # uncompress /tmp/nics.image # pkgadd -d /tmp/nics.image # rm /tmp/nics.image 5. UnixWare 7.1.1 5.1 First install Maintaince Pack 3. This fix will be included in Maintaince Pack 4. 5.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.21 5.3 Verification MD5 (erg712090.pkg.Z) = c299a961be84dbcca7a77dda08f0a8c4 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712090.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712090.pkg.Z # pkgadd -d /var/spool/pkg/erg712090.pkg 6. Open UNIX 8.0.0 6.1 First install Maintaince Pack 6. 6.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2003-SCO.21 6.2 Verification MD5 (erg712090.pkg.Z) = c299a961be84dbcca7a77dda08f0a8c4 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 6.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712090.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712090.pkg.Z # pkgadd -d /var/spool/pkg/erg712090.pkg 7. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001 http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf http://www.atstake.com/research/advisories/2003/a010603-1.txt http://www.nextgenss.com/advisories/etherleak-2003.txt http://www.ietf.org/rfc/rfc1042.txt SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr866216 fz521367 erg712090. 8. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 9. Acknowledgments SCO would like to thank Ofir Arkin and Josh Anderson from @Stake for their research. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SCO_SV) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj90zgcACgkQaqoBO7ipriFagwCgqMA/VriVmZXgjyCQ1y9LJv3y xUoAnREQyrxRAXdDhgXUZDi3DuB7FPOh =uRMx -----END PGP SIGNATURE-----