- Security researchers have reported a new vulnerability in Intel chips that abuses the Data-Direct I/O (DDIO) feature.
- Named NetCAT, this vulnerability allows attackers to observe keystrokes in SSH sessions in the compromised machines.
Vrije University has published details of the NetCAT vulnerability in the Intel server-grade CPUs. It allows the abuse of Intel DDIO to infiltrate into machines and networks.
- DDIO was introduced to make Intel CPUs more efficient in terms of speed. It allows peripherals to access the CPU’s cache to read and write data.
- NetCAT can compromise an SSH session by just sending network packets to the server. It does not require any malicious code to launch the attack.
- This vulnerability, tracked as CVE-2019-11184 by Intel, is a side-channel leak that requires direct access to the vulnerable system.
How can the vulnerability be exploited?
Attackers can observe what is processed in a DDIO-enabled CPU by sending a crafted network packet. However, this requires direct access to the system from the attacker’s network.
- The research outlines a technique called prime+probe. Using this technique, attackers can look for variations in the latency of the connection. Depending on the variation, they can detect what data was processed.
- An interactive SSH session sends network packets every time a key is pressed. Based on the arrival of the packet, NetCAT can leak the timing of the keystroke.
- Analyzing human typing patterns, this vulnerability exposes what users type in their private SSH sessions.
- If Remote Direct Memory Access (RDMA) is also enabled, the remote server’s memory can be accessed to control the location of network packets.
What did the Intel team do?
Intel was notified of the vulnerability in June, but no security patch is available yet as it is classified as a low severity vulnerability.
An Intel spokesperson told ZDNet, “Intel received notice of this research and determined it to be low severity (CVSS score of 2.6) primarily due to complexity, user interaction, and the uncommon level of access that would be required in scenarios where DDIO and RDMA are typically used.”
Mitigation advice was released by Intel that includes limiting direct access from untrusted networks when DDIO and RDMA are enabled.