The latest security information on Intel® products.

Intel® LAN Driver Buffer Overflow Local Privilege Escalation

Intel ID INTEL-SA-00006
Product family Intel® Network Protocol Drivers for Intel® Network Components
Impact of vulnerability Elevation of Privilege
Severity rating  Important
Original release Jan 12, 2007
Last revised Jan 24, 2008

Summary: 

A software vulnerability exists in the specified PCI, PCI-X and PCIe Intel network component drivers that could allow unprivileged code executing on an affected system to perform a local privilege escalation.

Description: 

This software vulnerability is due to a buffer overflow that could be caused by incorrect use of a function call. This condition could allow unauthorized code to be introduced that could be run with kernel-level privileges.

Affected products: 

Affected products:

Only specific configurations of these operating system/driver combinations are vulnerable. Detailed procedures for identifying the affected configurations can be found later in this document. Either review the procedure to determine if your system is affected or simply upgrade to the latest driver to ensure protection.

Product Family

Operating Systems

Affected Driver Versions

Corrected Driver Versions

Intel® PRO 10/100

Windows* 2000, Windows* XP, Windows* Server 2003, Windows* Vista

4.2.38.1 to 8.0.27.0

8.0.43.0 or later

Intel® PRO/1000

Windows* 2000, Windows* XP, Windows* Server 2003

6.2.21.0 to 8.7.1.0

8.7.9.0 or later

Intel® PRO/1000 PCIe

Windows* 2000, Windows* XP, Windows* Server 2003

9.0.15.0 to 9.1.34.0

9.2.24.0 or later

Embedded Solutions:

Product Family

Operating Systems

Affected Driver Versions

Corrected Driver Versions

Intel® PRO/1000

Windows* CE 5

All releases prior to the corrected version Note 1

e1000ce5.dll  12/12/2006  09:36 AM Note 1

Intel® PRO/1000

Windows* XP Embedded

All releases prior to the corrected version

 

e100032e.sys  [Version 7.2.17]

 

e1000325.sys

[Version 8.7.9.0]

Intel® PRO/1000

Windows* 2000 (82541ER)

All releases prior to the corrected version

 

e10002ke.sys

[Version 7.2.17.0]

Once you have verified that you have an affected driver follow

 these steps to determine if you have a vulnerable configuration. Note that Administrator privileges are required to use the Device Manager and Registry Editor Windows applications.

Step 1: Determine which Intel Ethernet network hardware devices exist on the system.

  • Open Device Manager.
    • Right-click on “My Computer” (“Computer” in Vista). The “My Computer” or “Computer” icon can be found by clicking the “Start” button on the Windows* desktop. The icon may also be visible directly on the Windows* desktop.
    • Select “Properties”.
    • On Windows* Vista, select “Advanced System Settings”, observe the User Account Control dialog appear, and select “Continue”.
    • Select “Hardware”.
    • Select “Device Manager”.
  • Expand the “Network Adapters” node within Device Manager.
  • If you do not see an Intel Ethernet network labeled either “PRO/100” or “PRO/1000” your system is not vulnerable; otherwise, continue to Step 2.

Step 2: For each Intel Ethernet network adapter, determine whether the device driver software is of a vulnerable version.

  • Follow Step 1 to observe the Intel Ethernet network adapters on the system in Device Manager.
  • For each Intel Ethernet network adapter visible in Device Manager:
    • Observe the adapter name in Device Manager. Note whether the adapter is a “PRO/100” (100 Mb/s) or a “PRO/1000” (1000 Mb/s)
    • Right-click on the adapter, and select Properties.
    • Select “Driver”.
    • Observe the Driver Version. This is a number of the form x.x.x.x.
    • Compare this driver version to the table of affected driver versions. For PRO/100 adapters, use the first row of the table. For PRO/1000 adapters, use the second and third rows of the table.
      • For PRO/1000 adapters, an optional step (not required by virtue of the fact that the PRO/1000 and PRO/1000 PCIe versions do not overlap) is to determine whether the device is a PRO/1000 or PRO/1000 PCIe device. This can be most easily accomplished by clicking on “Driver Details” on this same “Driver” page and observing the name of the .sys file. If that file begins with “e1e”, the device is a PRO/1000 PCIe device, and the third row of the table should be used. Otherwise, it should be a PRO/1000 PCI device with a name beginning with “e1g” or “e1000”, and the second row in the table should be used.
    • If the driver version is not one of the affected version per this table, the system is not vulnerable; otherwise, continue to Step 3.

Step 3: For each Intel Ethernet network adapter which has a vulnerable device driver version, examine the PcNic registry setting.

  • Follow Step 1 to observe the Intel Ethernet network adapters on the system in Device Manager.
  • For each Intel Ethernet network adapter visible in Device Manager:
    • Follow Step 2 to determine whether the device driver software is of an affected version. If the driver is not vulnerable, Step 3 may be skipped for this adapter.
    • Right-click on the adapter, and select Properties.
    • Select “Details”.
    • In the “Property” selection box, select “Hardware Ids”.
    • Keep this window open for later reference.
    • Open up the Registry Editor. On the command line (opened with “run as Administrator” in Vista), type “regedit”.
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI.
    • Open the next subkey (under PCI) with the name that matches the longest string in the “Hardware Ids” property observed above.
    • Open the next subkey which is named in the form x&xxxxxxxx&xx&xxxx (e.g. 3&b1bfb68&0&FA). If there is more than one such subkey, then there are multiple adapters of the same Hardware Id on the system. This can occur either when multiple physical adapter cards are present or when a single adapter card has multiple ports. Each subkey corresponds to a different network adapter visible in Device Manager. A set of such adapters that have the same Hardware Id appears in Device Manager with a common base name appended with “ #n” where n is a sequentially increasing numeric value. In this situation of multiple adapters of common Hardware Id, it is not strictly necessary to correlate the registry subkey with the device node in Device Manager as long as every subkey is examined. Such correlation can optionally be achieved by matching the PCI bus/device/function number visible in the “LocationInformation” value of the subkey with the same information visible on the General property page of device manager. In most cases, there will be a single subkey under a given Hardware Id. If there is more than one, check them all.
    • Examine the Driver value. This value should be of the form “{4d36e972-e325-11ce-bfc1-08002be10318}\xxxx”. Make note of the value xxxx (e.g. 0008) for use below.
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
    • Open the next subkey matching the Driver value examined above.
    • Within this subkey, look for a value type string (REG_SZ) named “PcNic”. If the “PcNic” value exists and is “0”, the system is not vulnerable (even if the driver version is one of the affected versions). If the “PcNic” value either does not exist or exists with a value of “1” (assuming in either case that the driver version is one of the affected versions), then the system is vulnerable.

Note 1: For Win CE drivers there is no version number, use the file creation date of the driver file.

Recommendations: 

While Intel is not aware of any malicious use of the vulnerability described in this advisory, users should upgrade to the latest software release. The following URLs contain the software download which resolves this vulnerability.

10/100: http://support.intel.com/support/network/sb/cs-006103.htm

Gigabit: http://support.intel.com/support/network/sb/cs-006120.htm

A workaround is available by editing the "PcNic" registry setting. This change will affect packet scheduling where different traffic priorities have been configured. It is important to note that this does not permanently fix the issue, as it can be undone by changing the registry back. It is strongly recommended that users upgrade to the latest software release. To implement the workaround follow the steps above to locate the "PcNic" registry key, set the value to "0", and reboot the system.

Acknowledgements: 

Intel would like to thank eEye Digital Security (www.eeye.com) for working with us.

Revision history:

Revision

Date

Description

1.0

12-January-2007

Migrating existing content to new Intel Product Security Center.

1.1

24-January-2008

Added affected embedded devices

Legal Notices and Disclaimers

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others.
Copyright © Intel Corporation 2018

Report a Vulnerability

If you have information about a security issue or vulnerability with an Intel branded product or technology, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

For issues related to Intel managed open source projects, please visit http://www.01.org/security

Need product support?

The secure@intel.com e-mail address should only be used for reporting security issues.

If you...

  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches


Please visit Support & Downloads.