According to the Internet media, the researchers from @stake have discovered
a vulnerability that has been slowly bleeding sensitive data across networks
for more than a decade.
The report from @stake, "EtherLeak: Ethernet frame padding information
leakage," indicates that the threat derives from the fact that some
Ethernet device drivers have been padding small Ethernet packets with
previously transmitted and other sensitive data rather than the nulls
called for in the Ethernet standard.
Ethernet packets can be from 46 to 1,500 bytes in size. But some high-level
protocols call for shorter packets, and the IEEE 802.3 (Ethernet) standard
says these should be padded with nulls to meet the minimum size requirements.
The recent discovery by @stake researchers is that some network interface
card device drivers don't generate nulls; instead, they use old pieces
of data as filler without any regard to what information is contained
in them. In various installations, the "fill" information can
come from dynamic kernel memory, from static system memory dedicated to
the device driver, or from RAM on the network interface card itself. The
source of the data determines what sort of risk is posed.
The researchers suggest that the easiest way to exploit this vulnerability
is to send ICMP echo commands to a machine running a vulnerable driver,
which will then return bits of kernel memory data to pad the reply. These,
in turn, can be searched for valuable information using a packet sniffer.
CERT warned, "This vulnerability may also affect link layer networking
protocols other than Ethernet," but it didn't list any examples in
the Vulnerability Note.