Intel server-grade CPUs impacted by new NetCAT attack

Academics develop new network-based attack that steals keystrokes from an active SSH session.

CPU processor

Image: David Latorre Romero

Academics from the Vrije University in Amsterdam have detailed today a new attack on Intel CPUs.

Named NetCAT, this is a vulnerability in all Intel chips that support the Data-Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA) features.

When these two features are enabled, academics have shown that they can launch an attack on remote, networked computers, and infer certain types of data that is being processed inside the CPU's cache.

The attack watches for small variations in the time the CPU needs to process data, and then, based on these variations, guesses what data may have been processed.

This type of attack is called a side-channel attack, and usually requires two conditions: (1) attacker with physical access to a computer, or (2) malware installed on the computer.

However, members of the Vrije University's Systems and Network Security Group (VUSec), have shown that the Intel DDIO and RDMA features facilitate a side-channel attack via network packets sent to a computer's network card.

Intel DDIO feature at fault

At fault is the Intel DDIO feature. This is a CPU speed optimization feature that was specifically designed for Intel's line of server-grade processors.

DDIO works by allowing peripherals, like the network card, direct access to write data inside the CPU cache, instead of RAM, as peripherals normally do.

The feature was developed for data centers and cloud computing platforms, where servers run on high-speed network connections, and where the RAM isn't always enough to process all the incoming data.

DDIO helps offload the vasts amount of data a network card might be receiving or sending by writing it to the CPU cache, where more information can be stored and processed at far superior speeds than in the RAM.

The feature is a must-have for server-grade computers and the reason why Intel has enabled DDIO by default for all Intel server-grade processors since 2012 -- such as the Intel Xeon E5, E7, and SP families.

The NetCAT attack

But in new reserch published today, VUSec academics have shown that sending carefully crafted network packets to a DDIO-capable CPU allows an attacker to keep an eye on what else is being processed in the CPU.

Attackers can't use the NetCAT attack to steal just any kind of data from a remote CPU, but only data that arrives as network packets and lands directly in the DDIO shared cache.

While this sounds useless, the VUSec team have shown how NetCAT can accurately infer keystrokes entered in an SSH session taking place on the attacked machine.

"In an interactive SSH session, every time you press a key, network packets are being directly transmitted," VUSec researchers said. "As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet."

"Now, humans have distinct typing patterns. For example, typing 's' right after 'a' is faster than typing 'g' after 's'. As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session," they added.

A NetCAT attack can work even if only the Intel DDIO feature is enabled; however, if the RDMA feature is also turned on, the attack becomes even more efficient.

*Remote Direct Memory Access, or RDMA, allows a computer to access another computer's memory without interacting with either computer's operating system data buffers. Therefore, networking speed and throughput are increased.

Patches not available

The VUSec team notified Intel of the NetCAT attack back in June, and Intel released mitigation advice today.

"Intel received notice of this research and determined it to be low severity (CVSS score of 2.6) primarily due to complexity, user interaction, and the uncommon level of access that would be required in scenarios where DDIO and RDMA are typically used," an Intel spokesperson told ZDNet.

"In the complex scenarios where Intel DDIO and RDMA are typically used, such as massively parallel computing clusters, malicious actors typically don't have direct access from untrusted networks."

Intel's recommendations include disabling the DDIO and RDMA features on affected CPUs, or limiting direct access to vulnerable systems from external, untrusted networks.

"Additional mitigations include the use of software modules resistant to timing attacks, using constant-time style code," Intel added.

However, VUSec researchers dispute that using side channel-resistant (constant-time) software would help. Instead, they recommend disabling at least RDMA on affected CPUs, since this reduces the attack's efficiency.

The NetCAT attack and vulnerability are tracked as CVE-2019-11184. Additional details are also available in a research paper titled "NetCAT: Practical Cache Attacks from the Network."