Security Firm @stake Says Your Network May Be Leaking Sensitive Data

Security researchers at the firm @stake say they've found a flaw in how network device drivers send information that could create an "information leakage vulnerability" that may let hackers collect sensitive information sent from vulnerable devices. If successful, @stake says, hackers potentially could view "slices of previously transmitted packets or portions of kernel memory" over certain networks.

The CERT Coordination Center has posted a long list (http://www.kb.cert.org/vuls/id/412115) of network vendors' products that could be vulnerable to the flaw. However, as of now, the majority of vendors haven't disclosed whether their device drivers are at risk. So far, Cisco Systems, F5 Networks, Hitachi, Microsoft, and NEC have reported that they're not vulnerable. According to @stake's advisory, the software and hardware vendors were notified of the potential flaw in June 2002. According to CERT, no statement concerning this vulnerability is yet available from more than 40 of the vendors notified more than six months ago.

Dubbed EtherLeak, @Stake says in its advisory (http://www.atstake.com/research/advisories/2003/a010603-1.txt) that incorrect implementations of the IEEE's Ethernet standard and poor programming practices "results in several variations of this information leakage vulnerability."

According to the IEEE Ethernet standard, packets sent over the network should be at least 46 bytes in size. However, it's common for protocols, such as IP, to require packets of less than 46 bytes; in such cases, the remaining frames should contain null, or "empty," data.

Researchers from @stake say their tests reveal that instead of worthless packets stuffing the remaining bytes, potentially sensitive corporate information stored in memory buffers on the network interface card, static system memory controlled by the network driver, or kernel memory is sent instead. "The number of affected systems is staggering, and the number of vulnerable systems used as critical network infrastructure terrifying. The security of proprietary network devices is particularly questionable," @stake wrote in the conclusion of its paper.

Both CERT and @stake recommend vulnerable companies encrypt network traffic, but even encrypting all network traffic isn't foolproof protection. While at-risk networks will greatly reduce this vulnerability's impact through encryption, they warn, sensitive information leaked from such sources as kernel memory can still be viewed by prying eyes.