NetCAT Vulnerability Threats Intel Server Processors

Amsterdam Free University has published details on the NetCAT vulnerability (Network Cache ATtack, CVE-2019-11184) that threatens all Intel processors that support Data-Direct I / O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA).

If these two functions are active, using a remote attack you can intercept some data in the CPU cache.

NetCAT is a side-channel attack and is a type of time-based attack: it is based on observing how much time the processor takes to process certain data.

“Based on this information, it is possible to guess which data is being processed. Intel DDIO and RDMA greatly facilitate this attack through network packets”, – say the researchers.

Experts explain that the root of the problem is related to the Intel DDIO mechanism, which was created for server processors and was designed to optimize their work. Using DDIO, peripheral devices, such as a network card, can get direct access writing data to the processor cache (instead of RAM, as is usually the case).

Read also: Researchers discovered vulnerabilities in Zyxel devices

Firstly, this mechanism was created for large data centers and cloud platforms, where servers work with high-speed network connections, and RAM is not always enough. DDIO functionality has been enabled by default for all Intel server processors since 2012 (such as the Intel Xeon E5, E7, and SP families).

As it turned out now, the inclusion of DDIO could be beneficial for cybercriminals. Therefore, sending specially prepared network packets to a processor with DDIO support will allow an attacker to monitor what else the CPU is processing. The NetCAT attack cannot be used to steal arbitrary data from a remote CPU, but it is possible to steal information that comes in the form of network packets and falls into the general DDIO cache.

In particular, the researchers found that NetCAT with great accuracy helps intercepting keystrokes on the target machine during an SSH session. Enabling RDMA will make such an attack even more effective.

“During an interactive SSH session, every time you press a key, network packets are transmitted directly. As a result, during an encrypted SSH session, every time a victim enters a character in the console, NetCAT can reveal the time of this event by revealing the arrival time of the corresponding network packet, experts explain. – The fact is that people have pronounced print styles. For example, typing “S” after “A” will be faster than typing “G” after “S”. As a result, NetCAT can apply a static analysis of packet arrival times by performing a timing attack to intercept keystrokes to reveal what the target is picking up”.

Amsterdam Free University experts notified Intel engineers about this problem in July of this year, but instead of patches, the company published a security bulletin that describes methods to reduce risks and mitigate the consequences. So, Intel recommends disabling DDIO and RDMA on vulnerable processors or restricting direct access to vulnerable systems from external untrusted networks.

Intel representatives report that the problem is of low severity (only 2.6 points on the CVSS scale), and the operation of the bug is difficult and unlikely, as in scenarios where Intel DDIO and RDMA are usually used (for example, mass-parallel computing clusters), the attackers usually do not have direct access from untrusted networks.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button