Unlike previous side-channel vulnerabilities disclosed in Intel CPUs, researchers have discovered a new flaw that can be exploited remotely over the network without requiring an attacker to have physical access or any malware installed on a targeted computer.
Dubbed NetCAT, short for Network Cache ATtack, the new network-based side-channel vulnerability could allow a remote attacker to sniff out sensitive data, such as someone’s SSH password, from Intel’s CPU cache.
Discovered by a team of security researchers from the Vrije University in Amsterdam, the vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel’s DDIO—short for Data-Direct I/O—which by design grants network devices and other peripherals access to the CPU cache.
The DDIO comes enabled by default on all Intel server-grade processors since 2012, including Intel Xeon E5, E7 and SP families.
According to the researchers [paper], NetCAT attack works similar to Throwhammer by solely sending specially crafted network packets to a targeted computer that has Remote Direct Memory Access (RDMA) feature enabled.
RDMA enables attackers to spy on remote server-side peripherals such as network cards and observe the timing difference between a network packet that is served from the remote processor’s cache versus a packet served from memory.
Here the idea is to perform a keystroke timing analysis to recover words typed by a victim using a machine learning algorithm against the time information.
“In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet,” explains the VUSec team.
“Now, humans have distinct typing patterns. For example, typing’s’ right after ‘a’ is faster than typing ‘g’ after’s.’ As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.”
“Compared to a native local attacker, NetCAT’s attack from across the network only reduces the accuracy of the discovered keystrokes on average by 11.7% by discovering inter-arrival of SSH packets with a true positive rate of 85%.”
The VUSec team has also published a video, as shown above, demonstrating a method for spying on SSH sessions in real-time with nothing but a shared server.
NetCAT becomes the new side-channel vulnerability joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, Foreshadow, SWAPGS, and PortSmash.
In its advisory, Intel has acknowledged the issue and recommended users to either completely disable DDIO or at least RDMA to make such attacks more difficult, or otherwise suggested to limit direct access to the servers from untrusted networks.
The company assigned the NetCAT vulnerability a “low” severity rating, describing it as a partial information disclosure issue, and awarded a bounty to the VUSec team for the responsible disclosure.