cbcvebase.
CVE-2003-0001
published 2003-01-17

CVE-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from…

PriorityP341medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
73.01%
99.4th percentile
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.

Affected

99 ranges· showing 25
VendorProductVersion rangeFixed in
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
juniperjunos< 18.418.4
juniperjunos< 18.318.3
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos

Detection & IOCsextracted from sources · hover to see the quote

  • Detect Etherleak (CVE-2003-0001) by capturing Ethernet frames where the captured packet length exceeds the sum of the Layer 2 header size plus the Layer 3/4 payload length — the trailing bytes beyond the payload constitute leaked kernel memory padding.
  • Filter for Ethernet frames carrying a Scapy 'Padding' layer on ARP or ICMP traffic to identify hosts leaking kernel memory in frame padding.
  • For ARP-based Etherleak detection, extract leaked bytes at offset 10–14 of the padding layer; for ICMP-based detection, extract bytes at offset 9–13 of the padding layer.
  • Trigger Etherleak disclosure by sending ARP or ICMP packets to the target and sniffing responses for non-zero padding beyond the protocol payload boundary.
  • Datalink type 1 (Ethernet) frames have a 14-byte L2 header; datalink type 113 (Linux cooked capture) frames have a 16-byte header. Any captured bytes beyond header+payload length indicate leaked memory padding.
  • ·Cisco IOS 12.1 and 12.2 trains are explicitly stated as NOT affected by this vulnerability.
  • ·National Semiconductor Ethernet controller chips are not vulnerable to this issue.
  • ·Juniper ScreenOS devices (all versions prior to 6.3.0r25) do not pad Ethernet packets with zeros and are affected; this issue is often detected as CVE-2003-0001.
  • ·Juniper Junos OS on PTX1000/PTX10000 and QFX10000/PTX5000 Series devices sometimes do not reliably pad Ethernet packets; this issue is also known as 'Etherleak' and often detected as CVE-2003-0001.
  • ·Juniper SRX1400, SRX3400, and SRX3600 running affected Junos versions do not properly initialize memory locations used during padding of Ethernet packets, leaking sensitive information — a related issue to CVE-2003-0001.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.