Amsterdam Free University has published details on the NetCAT vulnerability (Network Cache ATtack, CVE-2019-11184) that threatens all Intel processors that support Data-Direct I / O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA).
If these two functions are active, using a remote attack you can intercept some data in the CPU cache.NetCAT is a side-channel attack and is a type of time-based attack: it is based on observing how much time the processor takes to process certain data.
“Based on this information, it is possible to guess which data is being processed. Intel DDIO and RDMA greatly facilitate this attack through network packets”, – say the researchers.
Experts explain that the root of the problem is related to the Intel DDIO mechanism, which was created for server processors and was designed to optimize their work. Using DDIO, peripheral devices, such as a network card, can get direct access writing data to the processor cache (instead of RAM, as is usually the case).
Read also: Researchers discovered vulnerabilities in Zyxel devices
Firstly, this mechanism was created for large data centers and cloud platforms, where servers work with high-speed network connections, and RAM is not always enough. DDIO functionality has been enabled by default for all Intel server processors since 2012 (such as the Intel Xeon E5, E7, and SP families).
As it turned out now, the inclusion of DDIO could be beneficial for cybercriminals. Therefore, sending specially prepared network packets to a processor with DDIO support will allow an attacker to monitor what else the CPU is processing. The NetCAT attack cannot be used to steal arbitrary data from a remote CPU, but it is possible to steal information that comes in the form of network packets and falls into the general DDIO cache.
In particular, the researchers found that NetCAT with great accuracy helps intercepting keystrokes on the target machine during an SSH session. Enabling RDMA will make such an attack even more effective.
“During an interactive SSH session, every time you press a key, network packets are transmitted directly. As a result, during an encrypted SSH session, every time a victim enters a character in the console, NetCAT can reveal the time of this event by revealing the arrival time of the corresponding network packet, experts explain. – The fact is that people have pronounced print styles. For example, typing “S” after “A” will be faster than typing “G” after “S”. As a result, NetCAT can apply a static analysis of packet arrival times by performing a timing attack to intercept keystrokes to reveal what the target is picking up”.
Amsterdam Free University experts notified Intel engineers about this problem in July of this year, but instead of patches, the company published a security bulletin that describes methods to reduce risks and mitigate the consequences. So, Intel recommends disabling DDIO and RDMA on vulnerable processors or restricting direct access to vulnerable systems from external untrusted networks.