Security Experts:

NetCAT Attack: Hackers Can Remotely Steal Data From Servers With Intel CPUs

Researchers have discovered yet another side-channel attack method that can be exploited to steal potentially sensitive data from devices powered by Intel processors.

Dubbed NetCAT (Network Cache ATtack), the new attack was identified by members of the Systems and Network Security Group at VU Amsterdam. The vulnerability that makes an attack possible, tracked as CVE-2019-11184, is related to Intel’s Data Direct I/O (DDIO) technology.

DDIO, a feature enabled by default on all Intel Xeon E5 and E7 v2 server processors, is designed to improve performance and reduce power consumption, and it provides network devices access to the CPU cache.

VU Amsterdam researchers have demonstrated that DDIO — particularly when Remote Direct Memory Access (RDMA) technology is also enabled —- allows a remote attacker to obtain data from an affected server by sending it specially crafted network packets.Intel Xeon processors affected by NetCAT vulnerability

The NetCAT attack does not require any malicious software to be executed on the remote server or client, and the experts have shown how it can be used to steal keystrokes from an SSH session.

“In an interactive SSH session, every time you press a key, network packets are being directly transmitted,” the researchers explained. “As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet. Now, humans have distinct typing patterns. For example, typing ‘s’ right after ‘a’ is faster than typing ‘g’ after ‘s’. As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.”

RDMA makes the attack more efficient as it allows the exploit to “surgically control the relative memory location of network packets on the target server.”

In an attack scenario described by the researchers, “The attacker controls a machine which communicates over RDMA to an application server that supports DDIO and also services network requests from a victim client. NetCAT shows that attackers can successfully spy on remote server-side peripherals such as network cards to leak victim data over the network.”

According to the researchers, the most effective way to mitigate attacks is to disable DDIO — or at least RDMA to make attacks more difficult — in untrusted networks.

Intel also published an advisory for this vulnerability on Tuesday. The company assigned the flaw a “low” severity rating and described it as a partial information disclosure issue.

“Partial information potentially disclosed through exploitation of this vulnerability could be utilized to enhance unrelated attack methods,” the company said.

The researchers said they reported their findings to Intel in June and the chipmaker awarded them a bounty, but they did not disclose the amount.

Intel has advised customers to prevent potential attacks by limiting direct access from untrusted networks when DDIO and RDMA are enabled, and using software modules that are resistant to timing attacks through constant-time style code. However, the researchers don’t completely agree with the second mitigation.

“As long as the network card creates distinct patterns in the cache, NetCAT will be effective regardless of the software running on the remote server. Nonetheless, Intel’s recommendation to deploy side channel-resistant software may be helpful against future NetCAT-like attacks that target victim software on DDIO-enabled machines,” they said.

Ever since the disclosure of the Meltdown and Spectre vulnerabilities in January 2018, researchers have continued to find new side-channel attack methods affecting Intel processors. Some of the most recent are SWAPGS, ZombieLoad, RIDL and Fallout.

Related: Intel Patches Serious Vulnerability in Processor Diagnostic Tool

Related: Foreshadow: New Speculative Execution Flaws Found in Intel CPUs

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.