Written by Anthony Carballo
on September 17, 2019

What did happen?

Researchers have discovered a new vulnerability dubbed NetCAT (Network Cache Attack) it can be exploited on Intel server-grade CPUs, those that have Data Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA), allowing the leakage of SSH passwords and everything else you type – luckily it’s not easy to exploit -not so lucky that it doesn’t need any kind of malware to be installed or event doesn’t need physical access to the targeted device.

According to Intel, this is due to a race condition in specific microprocessors which may allow an authenticated user to enable information disclosure via adjacent access.


RDMA (Remote Direct Memory Access) permits attackers to spy on remote server-side peripherals such as network cards and perceive the timing difference between a network packet that is served from the remote processor's cache

The group of researchers at Vrije Universiteit Amsterdam explains that during an interactive SSH session, every time you press a key, network packets are being directly transmitted, consequently, every time a victim type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet, this is used with machine learning algorithm against the time information. They have published a video on YouTube where demonstrate the PoC (Proof of Concept)

Can we solve it?

NetCAT mainly affects those who offer cloud hosting. An attacker who rents space in a Data Center with active RDMA and DDIO, can compromise the data of all network users. Currently, AMD EPYC is not compatible with DDIO since is a performance enhancement exclusive to Intel which allows NICs to directly access the L3 cache of a processor, so AMD would not be affected by this vulnerability.

Unfortunately, at the time of writing, Intel has no patch for this vulnerability, all you can do for now, is follow the recommendations below.

Exploiting the NetCAT outside the controlled conditions of a research environment is a complex task, however, there are possibilities that this can compromise servers and therefore a company's network. This vulnerability has been classified as a low severity per the industry-standard Common Vulnerability Scoring System (CVSS) since there are no reports this vulnerability being exploited and as mentioned, due to its complexity.

This vulnerability is tracked under:



CVSS Overall Score: 2.6 (Low)

CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Vulnerable Processors

Intel® Xeon® E5, E7 and SP families that support DDIO and RDMA.

Our Advices

  1. Limit direct access from untrusted networks where DDIO & RDMA are enabled (They are enabled by default).
  2. The use of software modules resistant to timing attacks, using constant-time style code.
  3. Disabling DDIO is a mitigation for the vulnerability (or at least disabling the RDMA to reduce the chances). If RDMA is also enabled, the vulnerability immediately exposes your server to practical side-channel attacks over the network
  4. You can disable DDIO by adjusting the Integrated I/O configuration registers.

TTPs: Tactics, techniques and procedures

CVEs: Common Vulnerabilities and Exposures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cyber News The Breacher Report

Marriott-Starwood 500 Million Records Exposed.

In this edition the Knogin's  "Breacher Report" we focus on the recent Marriott-Starwood data breach that has been the t...

Cyber News Cybersecurity Awareness

Hello Admin 12345, your days are numbered.

Have you ever heard of a ‘common sense law’? Well, California just passed SB327 that raises cybersecurity standards.  An...

Cyber News

Sectors Investing the Most and Least on Cyber Security in 2018

According to a recent article by Nathan Kitto published in BusinessNewsWales, over the last few years, the frequency and...