Vigil@nce - Juniper JunOS: information disclosure via the padding of Ethernet frames
July 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can sniff Ethernet frames sent by Juniper JunOS, in
order to obtain sensitive information.
Impacted products: Juniper J-Series, JUNOS
Severity: 1/4
Creation date: 11/07/2013
DESCRIPTION OF THE VULNERABILITY
Ethernet frames must have a minimal length, which depends on the
bit rate of the data link.
When a packet, likely an IP one, is wrapped into an Ethernet
frame, the end of the containing buffer, between the end of the
packet and the end of the frame, if any, must be initialized.
However, JunOS does not do that, which leads to disclosure of
fragments of the JunOS kernel memory.
An attacker can therefore sniff Ethernet frames sent by Juniper
JunOS, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN