Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

NetCAT Attack: Hackers Can Remotely Steal Data From Servers With Intel CPUs

Researchers have discovered yet another side-channel attack method that can be exploited to steal potentially sensitive data from devices powered by Intel processors.

Researchers have discovered yet another side-channel attack method that can be exploited to steal potentially sensitive data from devices powered by Intel processors.

Dubbed NetCAT (Network Cache ATtack), the new attack was identified by members of the Systems and Network Security Group at VU Amsterdam. The vulnerability that makes an attack possible, tracked as CVE-2019-11184, is related to Intel’s Data Direct I/O (DDIO) technology.

DDIO, a feature enabled by default on all Intel Xeon E5 and E7 v2 server processors, is designed to improve performance and reduce power consumption, and it provides network devices access to the CPU cache.

VU Amsterdam researchers have demonstrated that DDIO — particularly when Remote Direct Memory Access (RDMA) technology is also enabled —- allows a remote attacker to obtain data from an affected server by sending it specially crafted network packets.Intel Xeon processors affected by NetCAT vulnerability

The NetCAT attack does not require any malicious software to be executed on the remote server or client, and the experts have shown how it can be used to steal keystrokes from an SSH session.

“In an interactive SSH session, every time you press a key, network packets are being directly transmitted,” the researchers explained. “As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet. Now, humans have distinct typing patterns. For example, typing ‘s’ right after ‘a’ is faster than typing ‘g’ after ‘s’. As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.”

RDMA makes the attack more efficient as it allows the exploit to “surgically control the relative memory location of network packets on the target server.”

In an attack scenario described by the researchers, “The attacker controls a machine which communicates over RDMA to an application server that supports DDIO and also services network requests from a victim client. NetCAT shows that attackers can successfully spy on remote server-side peripherals such as network cards to leak victim data over the network.”

According to the researchers, the most effective way to mitigate attacks is to disable DDIO — or at least RDMA to make attacks more difficult — in untrusted networks.

Intel also published an advisory for this vulnerability on Tuesday. The company assigned the flaw a “low” severity rating and described it as a partial information disclosure issue.

“Partial information potentially disclosed through exploitation of this vulnerability could be utilized to enhance unrelated attack methods,” the company said.

The researchers said they reported their findings to Intel in June and the chipmaker awarded them a bounty, but they did not disclose the amount.

Intel has advised customers to prevent potential attacks by limiting direct access from untrusted networks when DDIO and RDMA are enabled, and using software modules that are resistant to timing attacks through constant-time style code. However, the researchers don’t completely agree with the second mitigation.

“As long as the network card creates distinct patterns in the cache, NetCAT will be effective regardless of the software running on the remote server. Nonetheless, Intel’s recommendation to deploy side channel-resistant software may be helpful against future NetCAT-like attacks that target victim software on DDIO-enabled machines,” they said.

Ever since the disclosure of the Meltdown and Spectre vulnerabilities in January 2018, researchers have continued to find new side-channel attack methods affecting Intel processors. Some of the most recent are SWAPGS, ZombieLoad, RIDL and Fallout.

Related: Intel Patches Serious Vulnerability in Processor Diagnostic Tool

Related: Foreshadow: New Speculative Execution Flaws Found in Intel CPUs

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.