Intel® LAN Driver Buffer Overflow Local Privilege Escalation

Intel ID:  INTEL-SA-00006
Product family:  Intel® Network Protocol Drivers for Intel® Network Components
Impact of vulnerability Elevation of Privilege
Severity rating Important
Original release:  Jan 12, 2007
Last revised:  Jan 24, 2008
Summary: 

A software vulnerability exists in the specified PCI, PCI-X and PCIe Intel network component drivers that could allow unprivileged code executing on an affected system to perform a local privilege escalation.

Description: 

This software vulnerability is due to a buffer overflow that could be caused by incorrect use of a function call. This condition could allow unauthorized code to be introduced that could be run with kernel-level privileges.

Affected products: 

Affected products: 
Only specific configurations of these operating system/driver combinations are vulnerable. Detailed procedures for identifying the affected configurations can be found later in this document. Either review the procedure to determine if your system is affected or simply upgrade to the latest driver to ensure protection.
Product Family
Operating Systems
Affected Driver Versions
Corrected Driver Versions
Intel® PRO 10/100
Windows* 2000, Windows* XP, Windows* Server 2003, Windows* Vista
4.2.38.1 to 8.0.27.0
8.0.43.0 or later
Intel® PRO/1000
Windows* 2000, Windows* XP, Windows* Server 2003
6.2.21.0 to 8.7.1.0
8.7.9.0 or later
Intel® PRO/1000 PCIe
Windows* 2000, Windows* XP, Windows* Server 2003
9.0.15.0 to 9.1.34.0
9.2.24.0 or later
Embedded Solutions:
Product Family
Operating Systems
Affected Driver Versions
Corrected Driver Versions
 
 
 
 
Intel® PRO/1000
Windows* CE 5
All releases prior to the corrected version Note 1
e1000ce5.dll  12/12/2006  09:36 AM Note 1
Intel® PRO/1000
Windows* XP Embedded
All releases prior to the corrected version
 
e100032e.sys  [Version 7.2.17]
 
e1000325.sys
[Version 8.7.9.0]
Intel® PRO/1000
Windows* 2000 (82541ER)
All releases prior to the corrected version
 
e10002ke.sys
[Version 7.2.17.0]
Once you have verified that you have an affected driver follow
 these steps to determine if you have a vulnerable configuration. Note that Administrator privileges are required to use the Device Manager and Registry Editor Windows applications.
Step 1: Determine which Intel Ethernet network hardware devices exist on the system.
  • Open Device Manager.
    • Right-click on “My Computer” (“Computer” in Vista). The “My Computer” or “Computer” icon can be found by clicking the “Start” button on the Windows* desktop. The icon may also be visible directly on the Windows* desktop.
    • Select “Properties”.
    • On Windows* Vista, select “Advanced System Settings”, observe the User Account Control dialog appear, and select “Continue”.
    • Select “Hardware”.
    • Select “Device Manager”.
  • Expand the “Network Adapters” node within Device Manager.
  • If you do not see an Intel Ethernet network labeled either “PRO/100” or “PRO/1000” your system is not vulnerable; otherwise, continue to Step 2.
Step 2: For each Intel Ethernet network adapter, determine whether the device driver software is of a vulnerable version.
  • Follow Step 1 to observe the Intel Ethernet network adapters on the system in Device Manager.
  • For each Intel Ethernet network adapter visible in Device Manager:
    • Observe the adapter name in Device Manager. Note whether the adapter is a “PRO/100” (100 Mb/s) or a “PRO/1000” (1000 Mb/s)
    • Right-click on the adapter, and select Properties.
    • Select “Driver”.
    • Observe the Driver Version. This is a number of the form x.x.x.x.
    • Compare this driver version to the table of affected driver versions. For PRO/100 adapters, use the first row of the table. For PRO/1000 adapters, use the second and third rows of the table.
      • For PRO/1000 adapters, an optional step (not required by virtue of the fact that the PRO/1000 and PRO/1000 PCIe versions do not overlap) is to determine whether the device is a PRO/1000 or PRO/1000 PCIe device. This can be most easily accomplished by clicking on “Driver Details” on this same “Driver” page and observing the name of the .sys file. If that file begins with “e1e”, the device is a PRO/1000 PCIe device, and the third row of the table should be used. Otherwise, it should be a PRO/1000 PCI device with a name beginning with “e1g” or “e1000”, and the second row in the table should be used.
    • If the driver version is not one of the affected version per this table, the system is not vulnerable; otherwise, continue to Step 3.
Step 3: For each Intel Ethernet network adapter which has a vulnerable device driver version, examine the PcNic registry setting.
  • Follow Step 1 to observe the Intel Ethernet network adapters on the system in Device Manager.
  • For each Intel Ethernet network adapter visible in Device Manager:
    • Follow Step 2 to determine whether the device driver software is of an affected version. If the driver is not vulnerable, Step 3 may be skipped for this adapter.
    • Right-click on the adapter, and select Properties.
    • Select “Details”.
    • In the “Property” selection box, select “Hardware Ids”.
    • Keep this window open for later reference.
    • Open up the Registry Editor. On the command line (opened with “run as Administrator” in Vista), type “regedit”.
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI.
    • Open the next subkey (under PCI) with the name that matches the longest string in the “Hardware Ids” property observed above.
    • Open the next subkey which is named in the form x&xxxxxxxx&xx&xxxx (e.g. 3&b1bfb68&0&FA). If there is more than one such subkey, then there are multiple adapters of the same Hardware Id on the system. This can occur either when multiple physical adapter cards are present or when a single adapter card has multiple ports. Each subkey corresponds to a different network adapter visible in Device Manager. A set of such adapters that have the same Hardware Id appears in Device Manager with a common base name appended with “ #n” where n is a sequentially increasing numeric value. In this situation of multiple adapters of common Hardware Id, it is not strictly necessary to correlate the registry subkey with the device node in Device Manager as long as every subkey is examined. Such correlation can optionally be achieved by matching the PCI bus/device/function number visible in the “LocationInformation” value of the subkey with the same information visible on the General property page of device manager. In most cases, there will be a single subkey under a given Hardware Id. If there is more than one, check them all.
    • Examine the Driver value. This value should be of the form “{4d36e972-e325-11ce-bfc1-08002be10318}\xxxx”. Make note of the value xxxx (e.g. 0008) for use below.
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
    • Open the next subkey matching the Driver value examined above.
    • Within this subkey, look for a value type string (REG_SZ) named “PcNic”. If the “PcNic” value exists and is “0”, the system is not vulnerable (even if the driver version is one of the affected versions). If the “PcNic” value either does not exist or exists with a value of “1” (assuming in either case that the driver version is one of the affected versions), then the system is vulnerable.
Note 1: For Win CE drivers there is no version number, use the file creation date of the driver file.

Recommendations: 

While Intel is not aware of any malicious use of the vulnerability described in this advisory, users should upgrade to the latest software release. The following URLs contain the software download which resolves this vulnerability.

10/100: http://support.intel.com/support/network/sb/cs-006103.htm

Gigabit: http://support.intel.com/support/network/sb/cs-006120.htm

A workaround is available by editing the "PcNic" registry setting. This change will affect packet scheduling where different traffic priorities have been configured. It is important to note that this does not permanently fix the issue, as it can be undone by changing the registry back. It is strongly recommended that users upgrade to the latest software release. To implement the workaround follow the steps above to locate the "PcNic" registry key, set the value to "0", and reboot the system.

Acknowledgements: 

Intel would like to thank eEye Digital Security (www.eeye.com) for working with us.

Revision history: 

Revision
Date
Description
1.0
12-January-2007
Migrating existing content to new Intel Product Security Center.
1.1
24-January-2008
Added affected embedded devices


Disclaimer:

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH INTEL® PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.



Reporting a security issue

If you have information about a security issue or vulnerability with an Intel product, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

For issues related to Intel managed open source projects, please visit http://www.01.org/security.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

  • A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

  • Vulnerability handling guidelines

  • Need product support?
    The secure@intel.com e-mail address should only be used for reporting security issues.

    If you...
  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches

  • Please visit Support & Downloads.