Wednesday, September 11th 2019

New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data

DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache, completely bypassing the a server's RAM, to increase NIC performance and lower latencies. Cybersecurity researchers from the Vrije Universiteit Amsterdam and ETH Zurich, in a research paper published on Tuesday, have discovered a critical vulnerability with DDIO that allows compromised servers in a network to steal data from every other machine on its local network. This include the ability to obtain keystrokes and other sensitive data flowing through the memory of vulnerable servers. This effect is compounded in data centers that have not just DDIO, but also RDMA (remote direct memory access) enabled, in which a single server can compromise an entire network. RDMA is a key ingredient in shoring up performance in HPCs and supercomputing environments. Intel in its initial response asked customers to disable DDIO and RDMA on machines with access to untrusted networks, while it works on patches.

The NetCAT vulnerability spells big trouble for web hosting providers. If a hacker leases a server in a data-center with RDMA and DDIO enabled, they can compromise other customers' servers and steal their data. "While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future," the paper reads. We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse." The team also published a video briefing the nature of NetCAT. AMD EPYC processors don't support DDIO.
The video detailing NetCAT follows.

Source: Arstechnica
Add your own comment

38 Comments on New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data

#1
yoyo2004
This sort of news is getting old :laugh:
Posted on Reply
#3
Jem991
"Security" Not realy
Posted on Reply
#4
Candor
Leadership in vulnerability ;)
Posted on Reply
#5
RichF
At this point it seems reasonable to assume that Intel's designs are horribly insecure. So, the biggest question seems to be: How insecure are AMD's Zen designs?

Another question is: How fast can a processor be if it's made to be completely secure — or, at least — made with security first and everything else second?

(I also don't like black boxes so it would have to be fully transparent. I don't consider secret piggybacked CPUs to be a recipe for security, so AMD already fails with that. Reportedly, that PSP was stripped for China but who knows what was substituted.)

It would be nice to see VIA step up with a fully-transparent fully-security-minded x86 CPU but it's working for China these days it seems and has never been a high-performance player.
Posted on Reply
#6
delshay
oldtimenoob, post: 4114451, member: 179258"
Here we go again ;)
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
Posted on Reply
#7
RichF
delshay, post: 4114487, member: 171810"
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
Consumers shouldn't know about the defects in the products they're sold, eh?
Posted on Reply
#8
oldtimenoob
RichF, post: 4114490, member: 154826"
Consumers shouldn't know about the defects in the products they're sold, eh?
Maybe some hackers will also now know....
Posted on Reply
#9
RichF
oldtimenoob, post: 4114492, member: 179258"
Maybe some hackers will also now know....
When defects exist in products consumers have their hands on, it should always be assumed that the defects are known.

This should be a basic guiding principle. With transparency comes responsibility.

The notion that various 3rd-parties, various corporations with their particular corporate agendas, various executives with stocks to sell, various controversial agencies, should be able to trump press freedom is odious at best.

Besides, as I noted, consumers have an inherent right to know what it is that they bought. Money is life abstracted. When someone hands over a portion of their life for a product they deserve to know what they gave some of their life to get.
Posted on Reply
#10
Vinska
oldtimenoob, post: 4114492, member: 179258"
Maybe some hackers will also now know....
>We initiated a coordinated disclosure process with Intel and NCSC (the Dutch national CERT) on June 23, 2019. The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

As always* the vendor was informed way before the public for this exact reason, to evaluate and prepare mitigations.

*'cept that time "they" tried to short-sell AMD ayy lmao
Posted on Reply
#11
RichF
Vinska, post: 4114498, member: 97223"
for this exact reason
That's debatable.

Personally, I think protecting the public welfare ranks well below some other agendas, when it comes to those managing these matters. Otherwise, transparency, not censorship, would be the method not the objection.

Underlying all of this is the argument that freedom of the press should be suspended whenever there is a security flaw in a product. Unacceptable. People have the right to know what defects are in the products they bought, immediately upon discovery of those defects — not when Google nor any other corporation deigns to tell them — not when people have been able to game the stock market and the PR arena.
Posted on Reply
#12
Vinska
RichF, post: 4114503, member: 154826"
That's debatable.
Agree, but in that post I used the "official reasoning" for delayed public disclosure on purpose.
Not trying to bash anyone, but if a person is not yet even aware of the standard practice of delayed public disclosure, no point in delving into the silver lining until they do some more of their own research.
Posted on Reply
#13
RichF
Vinska, post: 4114507, member: 97223"
Agree, but in that post I used the "official reasoning" for delayed public disclosure on purpose.
Not trying to bash anyone, but if a person is not yet even aware of the standard practice of delayed public disclosure, no point in delving into the silver lining until they do some more of their own research.
Well, since there is no actual legal basis for it it's not all that surprising that not everyone knows about it.

Ad hoc policies dreamt-up by random megacorps are hardly something that we should consider set in stone.

Of course, someone will respond to my point by advocating a period of martial law whenever there is a security flaw found. :wtf:
Posted on Reply
#14
delshay
RichF, post: 4114490, member: 154826"
Consumers shouldn't know about the defects in the products they're sold, eh?
As long as it is fixed who cares. If you keep pushing & poking at any hardware long enough you will always find something.
Posted on Reply
#15
RichF
delshay, post: 4114512, member: 171810"
As long as it is fixed who cares. If you keep pushing & poking at any hardware long enough you will always find something.
Takata airbags. Only one in a long long list of reasons why transparency is always the better policy.

Besides, "you will always find something" is a tangent. I have been discussing disclosure, not how easy it is to find the flaws. Debating the process involved in finding the flaws is a worthwhile thing but it's a separate issue entirely.
Posted on Reply
#16
delshay
oldtimenoob, post: 4114492, member: 179258"
Maybe some hackers will also now know....
Thank you. & if the fix takes too long who knows what damage has already been done. Anyone can become a hacker with-in weeks, just look at Youtube videos, it's scary.
Posted on Reply
#17
Arc1t3ct
Will this nightmare ever end?
Posted on Reply
#19
Steevo
Lol. When can we assume that Intel threw security out the window to get performance way back when C2D was new and just never bothered to stop and fix it, cause they were the king of performance.
Posted on Reply
#20
TheinsanegamerN
delshay, post: 4114530, member: 171810"
Thank you. & if the fix takes too long who knows what damage has already been done. Anyone can become a hacker with-in weeks, just look at Youtube videos, it's scary.
If you think transparency will lead to hackers getting the best of you via YouTube training, you probably should be using a modern PC. Have you considered Etch-a-sketch?

Always assume hacking groups already know about a vulnerability. And dont hide vulnerabilities. If you hide one and it leaks out after being abused, you are in for a world of hurt.
Posted on Reply
#21
Mysteoa
RichF, post: 4114464, member: 154826"
(I also don't like black boxes so it would have to be fully transparent. I don't consider secret piggybacked CPUs to be a recipe for security, so AMD already fails with that. Reportedly, that PSP was stripped for China but who knows what was substituted.)
The statement that AMD gave regarding opening sourcing their Security Engine is that it contains license parts and they will get in trouble if they share it.
Posted on Reply
#22
Dave65
delshay, post: 4114487, member: 171810"
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
I think we have a right to know how vulnerable things can be, especially on server chips.
The Intel fan babies won't like this :roll:
Posted on Reply
#23
BorgOvermind
They should of named that 'feature' DILDO - damaging intel leak data option.

It's the 3rd time lately when intel tries to cheat on performance by ignoring security and they get burned for it.
Posted on Reply
#24
yakk
Looks like Intel & Security are a dichotomy at this point :slap:

Safe to say anything closed source can have hidden vulnerabilities. This just makes open source keep looking better and better all the time...
Posted on Reply
#25
Mussels
Moderprator
Oof, this one actually sounds like it can do some serious damage out in the wild
Posted on Reply
Add your own comment