Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks. . .
Security researchers have discovered a serious vulnerability that may be present in many Ethernet device drivers that is causing the devices to broadcast sensitive information over networks.

According to the IEEE's Ethernet standard, packets transmitted on an Ethernet network should be a minimum of 46 bytes. If, as sometimes happens with protocols such as IP, a higher layer protocol requires less than 46 bytes, the Ethernet frames are supposed to be padded with null data. However, researchers at @stake Inc., in Cambridge, Mass., have discovered that many drivers instead pad packets with data from previously transmitted Ethernet frames.

This results in the device sending out sensitive information to other machines on the same Ethernet network. The type of data sent depends upon the device driver implementation, but it can range from data housed in the dynamic kernel memory, to static system memory allocated to the driver, to a hardware buffer located on the network interface card.

The link for this article located at eWeek is no longer available.