What did happen?
Researchers have discovered a new vulnerability dubbed NetCAT (Network Cache Attack) it can be exploited on Intel server-grade CPUs, those that have Data Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA), allowing the leakage of SSH passwords and everything else you type – luckily it’s not easy to exploit -not so lucky that it doesn’t need any kind of malware to be installed or event doesn’t need physical access to the targeted device.
According to Intel, this is due to a race condition in specific microprocessors which may allow an authenticated user to enable information disclosure via adjacent access.
RDMA (Remote Direct Memory Access) permits attackers to spy on remote server-side peripherals such as network cards and perceive the timing difference between a network packet that is served from the remote processor's cache
The group of researchers at Vrije Universiteit Amsterdam explains that during an interactive SSH session, every time you press a key, network packets are being directly transmitted, consequently, every time a victim type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet, this is used with machine learning algorithm against the time information. They have published a video on YouTube where demonstrate the PoC (Proof of Concept) https://youtu.be/QXut1XBymAk
Can we solve it?
NetCAT mainly affects those who offer cloud hosting. An attacker who rents space in a Data Center with active RDMA and DDIO, can compromise the data of all network users. Currently, AMD EPYC is not compatible with DDIO since is a performance enhancement exclusive to Intel which allows NICs to directly access the L3 cache of a processor, so AMD would not be affected by this vulnerability.
Unfortunately, at the time of writing, Intel has no patch for this vulnerability, all you can do for now, is follow the recommendations below.
Exploiting the NetCAT outside the controlled conditions of a research environment is a complex task, however, there are possibilities that this can compromise servers and therefore a company's network. This vulnerability has been classified as a low severity per the industry-standard Common Vulnerability Scoring System (CVSS) since there are no reports this vulnerability being exploited and as mentioned, due to its complexity.
This vulnerability is tracked under:
CVSS Overall Score: 2.6 (Low)
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
Intel® Xeon® E5, E7 and SP families that support DDIO and RDMA.
- Limit direct access from untrusted networks where DDIO & RDMA are enabled (They are enabled by default).
- The use of software modules resistant to timing attacks, using constant-time style code.
- Disabling DDIO is a mitigation for the vulnerability (or at least disabling the RDMA to reduce the chances). If RDMA is also enabled, the vulnerability immediately exposes your server to practical side-channel attacks over the network
- You can disable DDIO by adjusting the Integrated I/O configuration registers.
TTPs: Tactics, techniques and procedures
CVEs: Common Vulnerabilities and Exposures