Researchers have disclosed a new vulnerability in Intel CPUs which can be exploited remotely over the network without the need of an attacker to have physical access or any malware installed on a targeted computer.
The new network-based side-channel vulnerability dubbed as NetCAT, short for Network Cache Attack, could let a remote attacker to steal sensitive data, such as SSH password, from Intel’s CPU cache.
This flaw was discovered by a team of security researchers from the Vrije University in Amsterdam. The vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel’s Data-Direct I/O (DDIO) which grants the network devices and other peripherals access to the CPU cache.
The DDIO is enabled by default on all Intel server-grade processors since 2012, including Intel Xeon E5, E7 and SP families.
NetCAT attack works similar to Throwhammer by sending specially crafted network packets to a targeted computer that has Remote Direct Memory Access (RDMA) feature enabled.
RDMA allows the hackers to spy on remote server-side peripherals such as network cards and observe the timing difference between a network packet that is served from the remote processor’s cache versus a packet served from memory.
Here the idea is to perform a keystroke timing analysis to recover words typed by a victim using a machine learning algorithm against the time information.
The VUSec team explains that in an interactive SSH session, whenever you press a key, network packets are being directly transmitted. So, when the victim types a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet.
Each person has distinct typing patterns. So, NetCAT can operate statistical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.
The VUSec team has also published a video demonstrating a method for spying on SSH sessions in real-time with just a shared server.
Intel has acknowledged the issue in their advisory and recommended users to either completely disable DDIO or at least RDMA to make such attacks more difficult, or otherwise suggested to limit direct access to the servers from untrusted networks.
The NetCAT vulnerability has been assigned a “low” severity rating, describing it as a partial information disclosure issue, and awarded a bounty to the VUSec team for responsibly disclosing it.