Intel Ethernet controller vulnerable to 'packet of death'

Sending a specially crafted packet to an Intel 82574L Ethernet controller can cause the hardware to hang, and the 'packet of death' could be put to malicious use and crash systems even when protected by a firewall.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor
(Credit: Intel)

A bug discovered in Intel's 82574L Ethernet controller leaves equipment vulnerable to attack via a so-called "packet of death."

Star2Star's chief technology officer Kristian Kielhofner identified the root of the bug, after customers began reporting that their Star2Star-branded hardware was experiencing random crashes. This put the company on the trail of the bug, which eventually lead to Intel's Ethernet controller.

"The system and Ethernet interfaces would appear fine," writes Kielhofner, "and then after a random amount of traffic the interface would report a hardware error (lost communication with PHY) and lose link. Literally the link lights on the switch and interface would go out. It was dead."

Kielhofner explains what he means by "dead."

"Nothing but a power cycle would bring it back. Attempting to reload the kernel module or reboot the machine would result in a PCI scan error. The interface was dead until the machine was physically powered down and powered back on. In many cases, for our customers, this meant a truck roll." ('Truck roll' is slang for needing a technician to visit the scene to fix the problem.)

After a lot of packet captures, Star2Star traced the problem to a particular VoIP manufacturer, and after further lengthy debugging the responsible packet was identified.

"Problem packets had just the right Call-ID, tags, and branches to cause the '2' in the ptime to line up with 0x47f."

So far, the problem appeared to be isolated and confined to a particular vendor—except that it isn't. Kielhofner's team was able to create packets and target them at particular systems.

"With a modified HTTP server configured to generate the data at byte value (based on headers, host, etc.) you could easily configure an HTTP 200 response to contain the packet of death - and kill client machines behind firewalls!"

Kielhofner has posted a test page that allows system admins to test to see if their equipment is vulnerable. But  be careful that you don't end up needing a truck roll.

Kielhofner's team has been working with Intel on a fix for this bug, but as yet it is unclear how widespread the problem is or how other Intel hardware is affected.

UPDATE: An Intel spokesperson says that this is "one case scenario isolated to one specific motherboard maker and  incorrect implementation of the controller on their motherboard (incorrect EEPROM image was programmed during manufacturing)." More details as soon as I get them.

Editorial standards