Search...

HP-UX PHNE_28636 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)

2005-03-18T00:00:00

ID HPUX_PHNE_28636.NASL
Type nessus
Reporter Tenable
Modified 2013-04-20T00:00:00

Description

s700_800 11.00 EISA 100BT cumulative patch :

Potential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and patch checks in this plugin were 
# extracted from HP patch PHNE_28636. The text itself is
# copyright (C) Hewlett-Packard Development Company, L.P.
#

include("compat.inc");

if (description)
{
  script_id(17417);
  script_version("$Revision: 1.13 $");
  script_cvs_date("$Date: 2013/04/20 00:36:48 $");

  script_cve_id("CVE-2003-0001");
  script_xref(name:"CERT", value:"412115");
  script_xref(name:"HP", value:"HPSBUX0305");
  script_xref(name:"HP", value:"SSRT3451");

  script_name(english:"HP-UX PHNE_28636 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)");
  script_summary(english:"Checks for the patch in the swlist output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote HP-UX host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"s700_800 11.00 EISA 100BT cumulative patch : 

Potential for Ethernet device drivers to reuse packet data for
padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Install patch PHNE_28636 or subsequent."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");

  script_set_attribute(attribute:"patch_publication_date", value:"2003/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/18");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.");
  script_family(english:"HP-UX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("hpux.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);

if (!hpux_check_ctx(ctx:"11.00"))
{
  exit(0, "The host is not affected since PHNE_28636 applies to a different OS release.");
}

patches = make_list("PHNE_28636");
foreach patch (patches)
{
  if (hpux_installed(app:patch))
  {
    exit(0, "The host is not affected because patch "+patch+" is installed.");
  }
}


flag = 0;
if (hpux_check_patch(app:"100BT-EISA-FMT.100BT-FORMAT", version:"B.11.00.01")) flag++;
if (hpux_check_patch(app:"100BT-EISA-FMT.100BT-FORMAT", version:"B.11.00.02")) flag++;
if (hpux_check_patch(app:"100BT-EISA-FMT.100BT-FORMAT", version:"B.11.00.03")) flag++;
if (hpux_check_patch(app:"100BT-EISA-FMT.100BT-FORMAT", version:"B.11.00.04")) flag++;
if (hpux_check_patch(app:"100BT-EISA-KRN.100BT-KRN", version:"B.11.00.01")) flag++;
if (hpux_check_patch(app:"100BT-EISA-KRN.100BT-KRN", version:"B.11.00.02")) flag++;
if (hpux_check_patch(app:"100BT-EISA-KRN.100BT-KRN", version:"B.11.00.03")) flag++;
if (hpux_check_patch(app:"100BT-EISA-KRN.100BT-KRN", version:"B.11.00.04")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-INIT", version:"B.11.00.01")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-INIT", version:"B.11.00.02")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-INIT", version:"B.11.00.03")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-INIT", version:"B.11.00.04")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-RUN", version:"B.11.00.01")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-RUN", version:"B.11.00.02")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-RUN", version:"B.11.00.03")) flag++;
if (hpux_check_patch(app:"100BT-EISA-RUN.100BT-RUN", version:"B.11.00.04")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:hpux_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"published": "2005-03-18T00:00:00", "id": "HPUX_PHNE_28636.NASL", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "history": [{"differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:24:44", "bulletin": {"enchantments": {}, "published": "2005-03-18T00:00:00", "id": "HPUX_PHNE_28636.NASL", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "history": [], "cpe": [], "hash": "aac65526c82af409a15fe1cff5e252c8881a71a4dbe9f85814032541b26a3d5c", "description": "s700_800 11.00 EISA 100BT cumulative patch : \n\nPotential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.", "type": "nessus", "pluginID": "17417", "lastseen": "2016-09-26T17:24:44", "edition": 1, "title": "HP-UX PHNE_28636 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17417", "modified": "2013-04-20T00:00:00", "bulletinFamily": "scanner", "viewCount": 2, "cvelist": ["CVE-2003-0001"], "references": [], "naslFamily": "HP-UX Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_28636. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17417);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2013/04/20 00:36:48 $\");\n\n script_cve_id(\"CVE-2003-0001\");\n script_xref(name:\"CERT\", value:\"412115\");\n script_xref(name:\"HP\", value:\"HPSBUX0305\");\n script_xref(name:\"HP\", value:\"SSRT3451\");\n\n script_name(english:\"HP-UX PHNE_28636 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.00 EISA 100BT cumulative patch : \n\nPotential for Ethernet device drivers to reuse packet data for\npadding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_28636 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00\"))\n{\n exit(0, \"The host is not affected since PHNE_28636 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_28636\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.04\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.04\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.04\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.04\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "hashmap": [{"hash": "e1777e6c2e94ff29d63dc0883d740876", "key": "cvelist"}, {"hash": "634d1af54c551c354e3204db0cbbc77a", "key": "modified"}, {"hash": "f537a8c4c2a2ecce05af223984a006fc", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8a41d28221c79eca7074f51fc96b542d", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "7bcab4942f4f7e074eb4f7b4ecdf4f61", "key": "pluginID"}, {"hash": "2c90988f12d0f55d79edd4070999e39d", "key": "published"}, {"hash": "895f2a7b18396afc127ce655b15f4750", "key": "title"}, {"hash": "818c6bb883cdd9080fba437c46f3f9d3", "key": "description"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "220d862610286795a31951b35a56c058", "key": "sourceData"}], "objectVersion": "1.2"}}], "description": "s700_800 11.00 EISA 100BT cumulative patch : \n\nPotential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.", "hash": "83c0128f729f72a5f55f37c6d66bf4e1a6eb2f985ba5fc31624412e4e09a4fbf", "enchantments": {"vulnersScore": 5.0}, "type": "nessus", "pluginID": "17417", "lastseen": "2017-10-29T13:38:34", "edition": 2, "cpe": ["cpe:/o:hp:hp-ux"], "title": "HP-UX PHNE_28636 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17417", "modified": "2013-04-20T00:00:00", "bulletinFamily": "scanner", "viewCount": 2, "cvelist": ["CVE-2003-0001"], "references": [], "naslFamily": "HP-UX Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_28636. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17417);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2013/04/20 00:36:48 $\");\n\n script_cve_id(\"CVE-2003-0001\");\n script_xref(name:\"CERT\", value:\"412115\");\n script_xref(name:\"HP\", value:\"HPSBUX0305\");\n script_xref(name:\"HP\", value:\"SSRT3451\");\n\n script_name(english:\"HP-UX PHNE_28636 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.00 EISA 100BT cumulative patch : \n\nPotential for Ethernet device drivers to reuse packet data for\npadding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_28636 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00\"))\n{\n exit(0, \"The host is not affected since PHNE_28636 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_28636\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-FMT.100BT-FORMAT\", version:\"B.11.00.04\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-KRN.100BT-KRN\", version:\"B.11.00.04\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-INIT\", version:\"B.11.00.04\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.01\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.02\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.03\")) flag++;\nif (hpux_check_patch(app:\"100BT-EISA-RUN.100BT-RUN\", version:\"B.11.00.04\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "afe57d0304e958202be29619fb28e901", "key": "cpe"}, {"hash": "e1777e6c2e94ff29d63dc0883d740876", "key": "cvelist"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "818c6bb883cdd9080fba437c46f3f9d3", "key": "description"}, {"hash": "8a41d28221c79eca7074f51fc96b542d", "key": "href"}, {"hash": "634d1af54c551c354e3204db0cbbc77a", "key": "modified"}, {"hash": "f537a8c4c2a2ecce05af223984a006fc", "key": "naslFamily"}, {"hash": "7bcab4942f4f7e074eb4f7b4ecdf4f61", "key": "pluginID"}, {"hash": "2c90988f12d0f55d79edd4070999e39d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "220d862610286795a31951b35a56c058", "key": "sourceData"}, {"hash": "895f2a7b18396afc127ce655b15f4750", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "objectVersion": "1.3"}

{"result": {"cve": [{"id": "CVE-2003-0001", "type": "cve", "title": "CVE-2003-0001", "description": "Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.", "published": "2003-01-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0001", "cvelist": ["CVE-2003-0001"], "lastseen": "2018-01-17T11:54:32"}], "cert": [{"id": "VU:412115", "type": "cert", "title": "Network device drivers reuse old frame buffer data to pad packets", "description": "### Overview\n\nMany network device drivers reuse old frame buffer data to pad packets, resulting in an information leakage vulnerability that may allow remote attackers to harvest sensitive information from affected devices.\n\n### Description\n\nThe Ethernet standard (IEEE 802.3) specifies a minimum data field size of 46 bytes. If a higher layer protocol such as IP provides packet data that is smaller than 46 bytes, the device driver must fill the remainder of the data field with a \"pad\". For IP datagrams, [_RFC1042_](<http://www.ietf.org/rfc/rfc1042.txt>) specifies that \"the data field should be padded (with octets of zero) to meet the IEEE 802 minimum frame size requirements.\" \n\nResearchers from @Stake have discovered that, contrary to the recommendations of RFC1042, many Ethernet device drivers fail to pad frames with null bytes. Instead, these device drivers reuse previously transmitted frame data to pad frames smaller than 46 bytes. This constitutes an information leakage vulnerability that may allow remote attackers to harvest potentially sensitive information. Depending upon the implementation of an affected device driver, the leaked information may originate from dynamic kernel memory, from static system memory allocated to the device driver, or from a hardware buffer located on the network interface card. \n \nFor detailed information on this research, please read @Stake's \"EtherLeak: Ethernet frame padding information leakage\", available at \n\n\n[_http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf_](<http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf>) \nThis vulnerability may also affect link layer networking protocols other than Ethernet. \n \n--- \n \n### Impact\n\nThis vulnerability allows remote attackers to harvest potentially sensitive information from network traffic. In some network environments, this vulnerability can also be used to circumvent technologies that divide networks into separate domains, such as VLANs and routers. \n \n--- \n \n### Solution\n\n**Apply a patch from your vendor** \n \nFor vendor-specific information regarding vulnerability status and patch availability, please consult the Systems Affected section of this document \n \n--- \n \n**Use encryption to protect sensitive data**\n\n \nBy using encryption to protect network traffic, vulnerable sites can greatly reduce the impact of this vulnerability. Affected device drivers will still leak information, but fragments of encrypted information will be useless to attackers. Note that this workaround will not protect sensitive information leaked from non-network sources such as kernel memory. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nDebian Linux| | 25 Jun 2002| 25 Jul 2003 \nGuardian Digital Inc. | | 25 Jun 2002| 24 Mar 2003 \nHewlett-Packard Company| | 25 Jun 2002| 25 Jul 2003 \nIntel| | 25 Jun 2002| 21 Apr 2003 \nMandriva, Inc.| | 25 Jun 2002| 25 Jul 2003 \nNetwork Appliance| | 25 Jun 2002| 08 Jan 2003 \nRed Hat, Inc.| | 25 Jun 2002| 31 Mar 2003 \nSun Microsystems, Inc.| | 25 Jun 2002| 03 Feb 2003 \nXerox Corporation| | 25 Jun 2002| 09 Jun 2003 \nApple Computer, Inc.| | 25 Jun 2002| 10 Jan 2003 \nCheck Point| | 13 Jan 2003| 03 Sep 2013 \nClavister| | 10 Jan 2003| 16 Jan 2003 \nF5 Networks, Inc.| | 25 Jun 2002| 03 Jan 2003 \nHitachi| | 03 Jan 2003| 06 Jan 2003 \nIBM Corporation| | 25 Jun 2002| 10 Jan 2003 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23412115 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf>\n * <http://www.atstake.com/research/advisories/2003/a010603-1.txt>\n * <http://www.nextgenss.com/advisories/etherleak-2003.txt>\n * <http://www.ietf.org/rfc/rfc1042.txt>\n\n### Credit\n\nThe CERT/CC thanks Ofir Arkin and Josh Anderson for their discovery and analysis of this vulnerability.\n\nThis document was written by Jeffrey P. Lanza.\n\n### Other Information\n\n * CVE IDs: [CAN-2003-0001](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2003-0001>)\n * Date Public: 06 Jan 2003\n * Date First Published: 06 Jan 2003\n * Date Last Updated: 03 Sep 2013\n * Severity Metric: 13.50\n * Document Revision: 34\n\n", "published": "2003-01-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.kb.cert.org/vuls/id/412115", "cvelist": ["CVE-2003-0001", "CVE-2003-0001"], "lastseen": "2016-02-03T09:12:43"}], "exploitdb": [{"id": "EDB-ID:3555", "type": "exploitdb", "title": "Ethernet Device Drivers Frame Padding - Info Leakage Exploit Etherleak", "description": "Ethernet Device Drivers Frame Padding Info Leakage Exploit (Etherleak). CVE-2003-0001. Remote exploits for multiple platform", "published": "2007-03-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/3555/", "cvelist": ["CVE-2003-0001"], "lastseen": "2016-01-31T18:45:53"}, {"id": "EDB-ID:26076", "type": "exploitdb", "title": "Cisco ASA < 8.4.4.6 & 8.2.5.32 - Ethernet Information Leak", "description": "Cisco ASA < 8.4.4.6 & 8.2.5.32 - Ethernet Information Leak. CVE-2003-0001. Dos exploit for hardware platform", "published": "2013-06-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/26076/", "cvelist": ["CVE-2003-0001"], "lastseen": "2016-02-03T02:48:02"}, {"id": "EDB-ID:22131", "type": "exploitdb", "title": "Linux Kernel 2.0.x/2.2.x/2.4.x,FreeBSD 4.x Network Device Driver Frame Padding Information Disclosure", "description": "Linux Kernel 2.0.x/2.2.x/2.4.x,FreeBSD 4.x Network Device Driver Frame Padding Information Disclosure. CVE-2003-0001. Remote exploit for unix platform", "published": "2007-03-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/22131/", "cvelist": ["CVE-2003-0001"], "lastseen": "2016-02-02T18:02:41"}], "nessus": [{"id": "HPUX_PHNE_29267.NASL", "type": "nessus", "title": "HP-UX PHNE_29267 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)", "description": "s700_800 11.04 (VVOS) LAN product cumulative patch : \n\nPotential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.", "published": "2005-03-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17420", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-10-29T13:39:07"}, {"id": "SOLARIS10_X86_125907.NASL", "type": "nessus", "title": "Solaris 10 (x86) : 125907-02 (deprecated)", "description": "Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: AMD pcnet driver). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows successful unauthenticated network attacks via TCP/IP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Solaris accessible data.\n\nThis plugin has been deprecated and either replaced with individual 125907 patch-revision plugins, or deemed non-security related.", "published": "2013-09-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=69906", "cvelist": ["CVE-2003-0001"], "lastseen": "2018-03-15T14:47:08"}, {"id": "HPUX_PHNE_29244.NASL", "type": "nessus", "title": "HP-UX PHNE_29244 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)", "description": "s700_800 11.04 (VVOS) EISA 100BT cumulative patch : \n\nPotential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.", "published": "2005-02-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16926", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-10-29T13:36:46"}, {"id": "HPUX_PHNE_28143.NASL", "type": "nessus", "title": "HP-UX PHNE_28143 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)", "description": "s700_800 11.00 LAN product cumulative patch : \n\nPotential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.", "published": "2005-02-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16670", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-10-29T13:33:13"}, {"id": "SOLARIS10_X86_125907-02.NASL", "type": "nessus", "title": "Solaris 10 (x86) : 125907-02", "description": "Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: AMD pcnet driver). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows successful unauthenticated network attacks via TCP/IP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Solaris accessible data.", "published": "2018-03-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=107944", "cvelist": ["CVE-2003-0001"], "lastseen": "2018-03-15T14:37:05"}, {"id": "ETHERLEAK.NASL", "type": "nessus", "title": "Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak)", "description": "The remote host uses a network device driver that pads ethernet frames with data which vary from one packet to another, likely taken from kernel memory, system memory allocated to the device driver, or a hardware buffer on its network interface card.\n\nKnown as 'Etherleak', this information disclosure vulnerability may allow an attacker to collect sensitive information from the affected host provided he is on the same physical subnet as that host.", "published": "2003-01-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=11197", "cvelist": ["CVE-2003-0001"], "lastseen": "2018-07-12T18:24:42"}, {"id": "JUNIPER_JSA10579.NASL", "type": "nessus", "title": "Juniper Junos SRX1400/3400/3600 Etherleak Information Disclosure (JSA10579)", "description": "According to its self-reported version number, the remote Junos device has an information disclosure vulnerability. SRX1400, SRX3400, and SRX3600 services gateways pad Ethernet packets with data from previous packets instead of padding them with null bytes. A remote, unauthenticated attacker could exploit this to gain access to sensitive information, which could be used to mount further attacks.", "published": "2013-07-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68912", "cvelist": ["CVE-2003-0001", "CVE-2013-4690"], "lastseen": "2018-07-13T09:57:32"}, {"id": "SOLARIS_JAN2015_SRU11_1_11_4_0.NASL", "type": "nessus", "title": "Oracle Solaris Critical Patch Update : jan2015_SRU11_1_11_4_0", "description": "This Solaris system is missing necessary patches to address critical security updates :\n\n - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: AMD pcnet driver).\n Supported versions that are affected are 10 and 11.\n Easily exploitable vulnerability allows successful unauthenticated network attacks via TCP/IP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Solaris accessible data.\n (CVE-2003-0001)\n\n - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: RPC Utility).\n Supported versions that are affected are 10 and 11.\n Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Solaris accessible data and ability to cause a partial denial of service (partial DOS) of Solaris. (CVE-2015-0429)\n\n - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: RPC Utility).\n Supported versions that are affected are 10 and 11.\n Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized read access to a subset of Solaris accessible data. (CVE-2015-0430)", "published": "2015-01-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=80936", "cvelist": ["CVE-2003-0001", "CVE-2015-0430", "CVE-2015-0429"], "lastseen": "2017-10-29T13:42:42"}, {"id": "MANDRAKE_MDKSA-2003-039.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : kernel22 (MDKSA-2003:039)", "description": "A number of vulnerabilities have been found in the Linux 2.2 kernel that have been addressed with the latest 2.2.25 release.\n\nA bug in the kernel module loader code could allow a local user to gain root privileges. This is done by a local user using ptrace and attaching to a modprobe process that is spawned if the user triggers the loading of a kernel module.\n\nA temporary workaround can be used to defend against this flaw. It is possible to temporarily disable the kmod kernel module loading subsystem in the kernel after all of the required kernel modules have been loaded. Be sure that you do not need to load additional kernel modules after implementing this workaround. To use it, as root execute :\n\necho /no/such/file >/proc/sys/kernel/modprobe\n\nTo automate this, you may wish to add it as the last line of the /etc/rc.d/rc.local file. You can revert this change by replacing the content '/sbin/modprobe' in the /proc/sys/kernel/modprobe file. The root user can still manually load kernel modules with this workaround in place.\n\nAs well, multiple ethernet device drivers do not pad frames with null bytes, which could allow remote attackers to obtain information from previous packets or kernel memory by using malformed packets.\n\nFinally, the 2.2 kernel allows local users to cause a crash of the host system by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface.\n\nAll users are encouraged to upgrade to the latest kernel version provided.\n\nFor instructions on how to upgrade your kernel in Mandrake Linux, please refer to :\n\nhttp://www.mandrakesecure.net/en/kernelupdate.php", "published": "2004-07-31T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14023", "cvelist": ["CVE-2003-0127", "CVE-2003-0001", "CVE-2002-1380"], "lastseen": "2017-10-29T13:35:49"}, {"id": "MANDRAKE_MDKSA-2003-066.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : kernel (MDKSA-2003:066-2)", "description": "Multiple vulnerabilities were discovered and fixed in the Linux kernel.\n\n - CVE-2003-0001: Multiple ethernet network card drivers do not pad frames with null bytes which allows remote attackers to obtain information from previous packets or kernel memory by using special malformed packets.\n\n - CVE-2003-0244: The route cache implementation in the 2.4 kernel and the Netfilter IP conntrack module allows remote attackers to cause a Denial of Service (DoS) via CPU consumption due to packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.\n\n - CVE-2003-0246: The ioperm implementation in 2.4.20 and earlier kernels does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.\n\n - CVE-2003-0247: A vulnerability in the TTY layer of the 2.4 kernel allows attackers to cause a kernel oops resulting in a DoS.\n\n - CVE-2003-0248: The mxcsr code in the 2.4 kernel allows attackers to modify CPU state registers via a malformed address.\n\n - CVE-2003-0462: A file read race existed in the execve() system call.\n\nAs well, a number of bug fixes were made in the 9.1 kernel including :\n\n - Support for more machines that did not work with APIC\n\n - Audigy2 support\n\n - New/updated modules: prims25, adiusbadsl, thinkpad, ieee1394, orinoco, via-rhine,\n\n - Fixed SiS IOAPIC\n\n - IRQ balancing has been fixed for SMP\n\n - Updates to ext3\n\n - The previous ptrace fix has been redone to work better\n\n - Bugs with compiling kernels using xconfig have been fixed\n\n - Problems with ipsec have been corrected\n\n - XFS ACLs are now present\n\n - gdb not working on XFS root filesystems has been fixed\n\nMandrakeSoft encourages all users to upgrade to these new kernels.\nUpdated kernels will be available shortly for other supported platforms and architectures.\n\nFor full instructions on how to properly upgrade your kernel, please review http://www.mandrakesecure.net/en/docs/magic.php.\n\nUpdate :\n\nThe kernels provided in MDKSA-2003:066-1 (2.4.21-0.24mdk) had a problem where all files created on any filesystem other than XFS, and using any kernel other than kernel-secure, would be created with mode 0666, or world writeable. The 0.24mdk kernels have been removed from the mirrors and users are encouraged to upgrade and remove those kernels from their systems to prevent accidentally booting into them.\n\nThat issue has been addressed and fixed with these new kernels.", "published": "2004-07-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14049", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244", "CVE-2003-0462"], "lastseen": "2017-10-29T13:35:30"}], "packetstorm": [{"id": "PACKETSTORM:55335", "type": "packetstorm", "title": "etherleak.txt", "description": "", "published": "2007-03-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://packetstormsecurity.com/files/55335/etherleak.txt.html", "cvelist": ["CVE-2003-0001"], "lastseen": "2016-12-05T22:17:02"}, {"id": "PACKETSTORM:121969", "type": "packetstorm", "title": "Cisco ASA Ethernet Information Leak", "description": "", "published": "2013-06-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://packetstormsecurity.com/files/121969/Cisco-ASA-Ethernet-Information-Leak.html", "cvelist": ["CVE-2003-0001"], "lastseen": "2016-12-05T22:19:25"}], "seebug": [{"id": "SSV:6453", "type": "seebug", "title": "Ethernet Device Drivers Frame Padding Info Leakage Exploit (Etherleak)", "description": "No description provided by source.", "published": "2007-03-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-6453", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-11-19T22:07:10"}, {"id": "SSV:79723", "type": "seebug", "title": "Cisco ASA < 8.4.4.6 & 8.2.5.32 - Ethernet Information Leak", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-79723", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-11-19T15:04:05"}, {"id": "SSV:64575", "type": "seebug", "title": "Ethernet Device Drivers Frame Padding - Info Leakage Exploit (Etherleak)", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-64575", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-11-19T14:21:46"}, {"id": "SSV:75942", "type": "seebug", "title": "Linux Kernel 2.0.x/2.2.x/2.4.x,FreeBSD 4.x Network Device Driver Frame Padding Information Disclosure", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-75942", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-11-19T16:09:02"}], "osvdb": [{"id": "OSVDB:3873", "type": "osvdb", "title": "Multiple Ethernet Driver Frame Padding Information Disclosure", "description": "## Vulnerability Description\nMultiple Ethernet Network Interface Card (NIC) Device Drivers contain flaws that may result in an information leakage vulnerability. The issue is triggered when Ethernet device drivers reuse old frame buffer data to pad packets. It is possible that the flaw may allow that may allow remote attackers to harvest sensitive information from affected devices resulting in a loss of confidentiality.\n## Solution Description\nContact vendor for upgrade to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nMultiple Ethernet Network Interface Card (NIC) Device Drivers contain flaws that may result in an information leakage vulnerability. The issue is triggered when Ethernet device drivers reuse old frame buffer data to pad packets. It is possible that the flaw may allow that may allow remote attackers to harvest sensitive information from affected devices resulting in a loss of confidentiality.\n## References:\n[Vendor Specific Advisory URL](http://www.vmware.com/support/kb/enduser/std_adp.php?p_sid=FsNALBWh&p_lva=&p_faqid=1437)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2003/dsa-311)\n[Vendor Specific Advisory URL](http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin)\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/advisories/engarde_advisory-2976.html)\n[Vendor Specific Advisory URL](http://a1851.g.akamaitech.net/f/1851/2996/24h/cache.xerox.com/downloads/usa/en/c/CERT_VU412115.pdf)\n[Secunia Advisory ID:10817](https://secuniaresearch.flexerasoftware.com/advisories/10817/)\n[Secunia Advisory ID:11283](https://secuniaresearch.flexerasoftware.com/advisories/11283/)\n[Related OSVDB ID: 2270](https://vulners.com/osvdb/OSVDB:2270)\n[Related OSVDB ID: 2615](https://vulners.com/osvdb/OSVDB:2615)\nOther Advisory URL: http://www.nextgenss.com/advisories/etherleak-2003.txt\nGeneric Informational URL: http://www.atstake.com/research/advisories/2003/a010603-1.txt\nGeneric Informational URL: http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf\n[CVE-2003-0001](https://vulners.com/cve/CVE-2003-0001)\nCERT VU: 412115\n", "published": "2004-02-09T08:23:38", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:3873", "cvelist": ["CVE-2003-0001"], "lastseen": "2017-04-28T13:19:58"}, {"id": "OSVDB:9962", "type": "osvdb", "title": "ZyXEL Prestige 681 ARP Request Packet Information Disclosure", "description": "## Vulnerability Description\nSome ZyXEL Prestige devices contains a flaw that may lead to an unauthorized information disclosure. \u00a0ARP requests emitted by device could contain random parts of the memory (especially parts of recent telnet sessions) , which will disclose sensitive information to an attacker able to sniff the local network resulting in a loss of confidentiality.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nSome ZyXEL Prestige devices contains a flaw that may lead to an unauthorized information disclosure. \u00a0ARP requests emitted by device could contain random parts of the memory (especially parts of recent telnet sessions) , which will disclose sensitive information to an attacker able to sniff the local network resulting in a loss of confidentiality.\n## References:\nVendor URL: http://www.zyxel.com/\nSecurity Tracker: 1008999\nMail List Post: http://whitestar.linuxbox.org/pipermail/exploits/2007-March/000165.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0127.html\nISS X-Force ID: 17372\n[CVE-2004-1684](https://vulners.com/cve/CVE-2004-1684)\n[CVE-2003-0001](https://vulners.com/cve/CVE-2003-0001)\nBugtraq ID: 11167\n", "published": "2004-09-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:9962", "cvelist": ["CVE-2003-0001", "CVE-2004-1684"], "lastseen": "2017-04-28T13:20:05"}], "debian": [{"id": "DSA-311", "type": "debian", "title": "linux-kernel-2.4.18 -- several vulnerabilities", "description": "A number of vulnerabilities have been discovered in the Linux kernel.\n\nCVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall).\n\nCAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets.\n\nCAN-2003-0127: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.\n\nCAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.\n\nCAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.\n\nCAN-2003-0247: Vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service (\"kernel oops\").\n\nCAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.\n\nCAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.\n\nThis advisory covers only the i386 (Intel IA32) architectures. Other architectures will be covered by separate advisories.\n\nFor the stable distribution (woody) on the i386 architecture, these problems have been fixed in kernel-source-2.4.18 version 2.4.18-9, kernel-image-2.4.18-1-i386 version 2.4.18-8, and kernel-image-2.4.18-i386bf version 2.4.18-5woody1.\n\nFor the unstable distribution (sid) these problems are fixed in the 2.4.20 series kernels based on Debian sources.\n\nWe recommend that you update your kernel packages.\n\nIf you are using the kernel installed by the installation system when the \"bf24\" option is selected (for a 2.4.x kernel), you should install the kernel-image-2.4.18-bf2.4 package. If you installed a different kernel-image package after installation, you should install the corresponding 2.4.18-1 kernel. You may use the table below as a guide.\n \n \n | If \"uname -r\" shows: | Install this package:\n | 2.4.18-bf2.4 | kernel-image-2.4.18-bf2.4\n | 2.4.18-386 | kernel-image-2.4.18-1-386\n | 2.4.18-586tsc | kernel-image-2.4.18-1-586tsc\n | 2.4.18-686 | kernel-image-2.4.18-1-686\n | 2.4.18-686-smp | kernel-image-2.4.18-1-686-smp\n | 2.4.18-k6 | kernel-image-2.4.18-1-k6\n | 2.4.18-k7 | kernel-image-2.4.18-1-k7\n \n\nNOTE: that this kernel is not binary compatible with the previous version. For this reason, the kernel has a different version number and will not be installed automatically as part of the normal upgrade process. Any custom modules will need to be rebuilt in order to work with the new kernel. New PCMCIA modules are provided for all of the above kernels.\n\nNOTE: A system reboot will be required immediately after the upgrade in order to replace the running kernel. Remember to read carefully and follow the instructions given during the kernel upgrade process.", "published": "2003-06-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-311", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244"], "lastseen": "2016-09-02T18:32:39"}, {"id": "DSA-336", "type": "debian", "title": "linux-kernel-2.2.20 -- several vulnerabilities", "description": "A number of vulnerabilities have been discovered in the Linux kernel.\n\n * [CAN-2002-1380](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1380>): Linux kernel 2.2.x allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface.\n * [CVE-2002-0429](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0429>): The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall)\n * [CAN-2003-0001](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001>): Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets\n * [CAN-2003-0127](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127>): The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel\n * [CAN-2003-0244](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244>): The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain\n * [CAN-2003-0246](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0246>): The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.\n * [CAN-2003-0247](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0247>): vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service (\"kernel oops\")\n * [CAN-2003-0248](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0248>): The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.\n * [CAN-2003-0364](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0364>): The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions\n\nThis advisory provides updated 2.2.20 kernel source, and binary kernel images for the i386 architecture. Other architectures and kernel versions will be covered by separate advisories.\n\nFor the stable distribution (woody) on the i386 architecture, these problems have been fixed in kernel-source-2.2.20 version 2.2.20-5woody2 and kernel-image-i386 version 2.2.20-5woody3.\n\nFor the unstable distribution (sid) these problems are fixed in kernel-source-2.2.25 and kernel-image-2.2.25-i386 version 2.2.25-2.\n\nWe recommend that you update your kernel packages.\n\nNOTE: A system reboot will be required immediately after the upgrade in order to replace the running kernel. Remember to read carefully and follow the instructions given during the kernel upgrade process.\n\nNOTE: These kernels are not binary-compatible with the previous version. Any loadable modules will need to be recompiled in order to work with the new kernel.", "published": "2003-06-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-336", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244", "CVE-2002-1380"], "lastseen": "2016-09-02T18:35:30"}, {"id": "DSA-312", "type": "debian", "title": "kernel-patch-2.4.18-powerpc -- several vulnerabilities", "description": "A number of vulnerabilities have been discovered in the Linux kernel.\n\nCVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall).\n\nCAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets.\n\nCAN-2003-0127: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.\n\nCAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.\n\nCAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.\n\nCAN-2003-0247: Vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service (\"kernel oops\").\n\nCAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.\n\nCAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.\n\nThis advisory covers only the powerpc architecture. Other architectures will be covered by separate advisories.\n\nFor the stable distribution (woody) on the powerpc architecture, these problems have been fixed in version 2.4.18-1woody1.\n\nFor the unstable distribution (sid) these problems are fixed in version 2.4.20-2.\n\nWe recommend that you update your kernel packages.\n\nNOTE: A system reboot will be required immediately after the upgrade in order to replace the running kernel. Remember to read carefully and follow the instructions given during the kernel upgrade process.", "published": "2003-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-312", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244"], "lastseen": "2016-09-02T18:28:21"}, {"id": "DSA-332", "type": "debian", "title": "linux-kernel-2.4.17 -- several vulnerabilities", "description": "A number of vulnerabilities have been discovered in the Linux kernel.\n\n * [CVE-2002-0429](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0429>): The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall) \n * [CAN-2003-0001](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001>): Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets \n * [CAN-2003-0127](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127>): The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel \n * [CAN-2003-0244](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244>): The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain \n * [CAN-2003-0246](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0246>): The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. \n * [CAN-2003-0247](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0247>): vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service (\"kernel oops\") \n * [CAN-2003-0248](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0248>): The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. \n * [CAN-2003-0364](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0364>): The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions \n\nThis advisory provides corrected source code for Linux 2.4.17, and corrected binary kernel images for the mips and mipsel architectures. Other versions and architectures will be covered by separate advisories.\n\nFor the stable distribution (woody), these problems have been fixed in kernel-source-2.4.17 version 2.4.17-1woody1 and kernel-patch-2.4.17-mips version 2.4.17-0.020226.2.woody2.\n\nFor the unstable distribution (sid) these problems are fixed in kernel-source-2.4.20 version 2.4.20-8.\n\nWe recommend that you update your kernel packages.\n\nNOTE: A system reboot will be required immediately after the upgrade in order to replace the running kernel. Remember to read carefully and follow the instructions given during the kernel upgrade process.", "published": "2003-06-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-332", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244"], "lastseen": "2016-09-02T18:29:54"}, {"id": "DSA-423", "type": "debian", "title": "linux-kernel-2.4.17-ia64 -- several vulnerabilities", "description": "The IA-64 maintainers fixed several security related bugs in the Linux kernel 2.4.17 used for the IA-64 architecture, mostly by backporting fixes from 2.4.18. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project:\n\n * [CAN-2003-0001](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001>): \n\nMultiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.\n\n * [CAN-2003-0018](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0018>): \n\nLinux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption.\n\n * [CAN-2003-0127](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127>): \n\nThe kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process which is spawned by the kernel.\n\n * [CAN-2003-0461](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0461>): \n\nThe virtual file /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords.\n\n * [CAN-2003-0462](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0462>): \n\nA race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash).\n\n * [CAN-2003-0476](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0476>): \n\nThe execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors.\n\n * [CAN-2003-0501](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0501>): \n\nThe /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries.\n\n * [CAN-2003-0550](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0550>): \n\nThe STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology.\n\n * [CAN-2003-0551](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0551>): \n\nThe STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service.\n\n * [CAN-2003-0552](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0552>): \n\nLinux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target.\n\n * [CAN-2003-0961](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0961>): \n\nAn integer overflow in brk system call (do_brk function) for Linux kernel 2.4.22 and earlier allows local users to gain root privileges.\n\n * [CAN-2003-0985](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985>): \n\nThe mremap system call (do_mremap) in Linux kernel 2.4 and 2.6 does not properly perform boundary checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA.\n\nFor the stable distribution (woody) this problem has been fixed in version kernel-image-2.4.17-ia64 for the ia64 architecture. Other architectures are already or will be fixed separately.\n\nFor the unstable distribution (sid) this problem will be fixed soon with newly uploaded packages.", "published": "2004-01-15T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-423", "cvelist": ["CVE-2003-0961", "CVE-2003-0461", "CVE-2003-0985", "CVE-2003-0127", "CVE-2003-0001", "CVE-2003-0501", "CVE-2003-0552", "CVE-2003-0476", "CVE-2003-0462", "CVE-2003-0018", "CVE-2003-0551", "CVE-2003-0550"], "lastseen": "2016-09-02T18:30:30"}, {"id": "DSA-442", "type": "debian", "title": "linux-kernel-2.4.17-s390 -- several vulnerabilities", "description": "Several security related problems have been fixed in the Linux kernel 2.4.17 used for the S/390 architecture, mostly by backporting fixes from 2.4.18 and incorporating recent security fixes. The corrections are listed below with the identification from the Common Vulnerabilities and Exposures (CVE) project:\n\n * [CVE-2002-0429](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0429>): \n\nThe iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall).\n\n * [CAN-2003-0001](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001>): \n\nMultiple ethernet network interface card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.\n\n * [CAN-2003-0244](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244>): \n\nThe route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.\n\n * [CAN-2003-0246](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0246>): \n\nThe ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.\n\n * [CAN-2003-0247](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0247>): \n\nA vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service (\"kernel oops\").\n\n * [CAN-2003-0248](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0248>): \n\nThe mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.\n\n * [CAN-2003-0364](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0364>): \n\nThe TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.\n\n * [CAN-2003-0961](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0961>): \n\nAn integer overflow in brk() system call (do_brk() function) for Linux allows a local attacker to gain root privileges. Fixed upstream in Linux 2.4.23.\n\n * [CAN-2003-0985](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985>): \n\nPaul Starzetz [discovered](<http://isec.pl/vulnerabilities/isec-0013-mremap.txt>) a flaw in bounds checking in mremap() in the Linux kernel (present in version 2.4.x and 2.6.x) which may allow a local attacker to gain root privileges. Version 2.2 is not affected by this bug. Fixed upstream in Linux 2.4.24.\n\n * [CAN-2004-0077](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077>): \n\nPaul Starzetz and Wojciech Purczynski of isec.pl [discovered](<http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt>) a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.\n\nFor the stable distribution (woody) these problems have been fixed in version 2.4.17-2.woody.3 of s390 images and in version 0.0.20020816-0.woody.2 of the patch packages.\n\nFor the unstable distribution (sid) these problems will be fixed soon.\n\nWe recommend that you upgrade your Linux kernel packages immediately.\n\n[Vulnerability matrix](<CAN-2004-0077>) for CAN-2004-0077", "published": "2004-02-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-442", "cvelist": ["CVE-2003-0248", "CVE-2003-0961", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0985", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244", "CVE-2004-0077"], "lastseen": "2016-09-02T18:19:42"}], "openvas": [{"id": "OPENVAS:53601", "type": "openvas", "title": "Debian Security Advisory DSA 312-1 (kernel-patch-2.4.18-powerpc)", "description": "The remote host is missing an update to kernel-patch-2.4.18-powerpc\nannounced via advisory DSA 312-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53601", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244"], "lastseen": "2017-07-24T12:50:03"}, {"id": "OPENVAS:53621", "type": "openvas", "title": "Debian Security Advisory DSA 332-1 (kernel-source-2.4.17, kernel-patch-2.4.17-mips)", "description": "The remote host is missing an update to kernel-source-2.4.17, kernel-patch-2.4.17-mips\nannounced via advisory DSA 332-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53621", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244"], "lastseen": "2017-07-24T12:50:23"}, {"id": "OPENVAS:53625", "type": "openvas", "title": "Debian Security Advisory DSA 336-1 (kernel-source-2.2.20, kernel-image-2.2.20-i386)", "description": "The remote host is missing an update to kernel-source-2.2.20, kernel-image-2.2.20-i386\nannounced via advisory DSA 336-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53625", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244"], "lastseen": "2017-07-24T12:50:13"}, {"id": "OPENVAS:53694", "type": "openvas", "title": "Debian Security Advisory DSA 311-1 (kernel)", "description": "The remote host is missing an update to kernel\nannounced via advisory DSA 311-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53694", "cvelist": ["CVE-2003-0248", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0127", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244"], "lastseen": "2017-07-24T12:49:55"}, {"id": "OPENVAS:53142", "type": "openvas", "title": "Debian Security Advisory DSA 442-1 (kernel-patch-2.4.17-s390, kernel-image-2.4.17-s390)", "description": "The remote host is missing an update to kernel-patch-2.4.17-s390, kernel-image-2.4.17-s390\nannounced via advisory DSA 442-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53142", "cvelist": ["CVE-2003-0248", "CVE-2003-0961", "CVE-2003-0247", "CVE-2002-0429", "CVE-2003-0985", "CVE-2003-0364", "CVE-2003-0001", "CVE-2003-0246", "CVE-2003-0244", "CVE-2004-0077"], "lastseen": "2017-07-24T12:50:22"}, {"id": "OPENVAS:53122", "type": "openvas", "title": "Debian Security Advisory DSA 423-1 (kernel-image-2.4.17-ia64)", "description": "The remote host is missing an update to kernel-image-2.4.17-ia64\nannounced via advisory DSA 423-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53122", "cvelist": ["CVE-2003-0961", "CVE-2003-0461", "CVE-2003-0985", "CVE-2003-0127", "CVE-2003-0001", "CVE-2003-0501", "CVE-2003-0552", "CVE-2003-0476", "CVE-2003-0462", "CVE-2003-0018", "CVE-2003-0551", "CVE-2003-0550"], "lastseen": "2017-07-24T12:49:44"}], "oracle": [{"id": "ORACLE:CPUJAN2015-1972971", "type": "oracle", "title": "Oracle Critical Patch Update - January 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-03-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "lastseen": "2018-04-18T20:23:51"}]}}

HP-UX PHNE_28636 : HPSBUX0305-261 SSRT3451 Potential Security Vulnerability in HP-UX network drivers (Data Leakage) (rev. 01)

Description

s700_800 11.00 EISA 100BT cumulative patch : Potential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.

s700_800 11.00 EISA 100BT cumulative patch :

Potential for Ethernet device drivers to reuse packet data for padding. Cross-reference: CERT/cc VU#412115 and CVE CAN-2003-0001.