ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Server platforms Toolkit in association with http://ad.doubleclick.net/clk;205413468;14699245;m?http://adfarm.mediaplex.com/ad/ck/2397-58840-22058-14

Ethernet security leak discovered

John McCormick

Published: 27 Jan 2003 13:03 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Mitigating factors

The most significant mitigating factor is that the attacker or snooper must be on the same Ethernet network as the target, so it's generally going to be internal attackers that can exploit this flaw. Another mitigating factor -- at least in terms of the damage that may have occurred thus far -- is that it's doubtful that many hackers have known about this flaw and therefore haven't exploited it until now.

Of course, it's sad to say, but another major mitigating factor may be that most networks have much bigger and easier-to-exploit vulnerabilities for hackers to target.

Fix

CERT recommends encrypting all network traffic but warns that this still won't help in situations where kernel memory is used to pad out the packets.

Some vendors have determined that their products aren't affected by this threat, including IBM, Microsoft, and Cisco, but you should check the CERT bulletin for the latest information on which products are safe. If a product isn't listed, contact the vendor to see if it has an update available.

Who's to blame?

This situation demonstrates that even the most innocuous and seemingly benign protocols that have been around for years -- Ethernet was developed at PARC in the early 70s and was commercialized in 1980 -- may have holes in them. The fault isn't actually due to a flaw with the Ethernet standard developed by IEEE; rather, it is due to a loophole. The creators of the standard tried to keep things as simple as possible, so they just specified that the empty spaces in a packet be filled out with nulls. However, something fell between the cracks of the two relevant RFCs, 894 and 1042, controlling IP datagram transmission, and it was not made clear just who was responsible for padding the packets or where it would be done.

Final word

This is the sort of problem that can go on for years without being discovered (obviously). But once disclosed, it propels hackers to start trolling for the goldmine of sensitive data they hope is there.

A few top-level hackers may have known about this and been quietly exploiting the vulnerability for various purposes, but now it's public knowledge.

When I first read about this vulnerability on CERT, I thought this was a minor problem because, after all, it is mostly a Layer 2 event. But after looking into it a bit further, I believe this is a serious vulnerability, mostly because it is probably widespread and there is simply no way to know what data is being exposed to unauthorized individuals.

Also, many of us, including myself, are prone to forget that study after study shows that the biggest security threats to networks come from insiders, and this is the kind of threat that insiders can exploit easily.

For a weekly round-up of the enterprise IT news, sign up for the Enterpise newsletter.

Tell us what you think in the Enterprise Mailroom.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Kyocera

Did you find this article useful?
121 out of 228 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Server platforms


Company/Topic Alerts

Create a new alert from the list below: