Wednesday, September 11th 2019

New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data

DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache, completely bypassing the a server's RAM, to increase NIC performance and lower latencies. Cybersecurity researchers from the Vrije Universiteit Amsterdam and ETH Zurich, in a research paper published on Tuesday, have discovered a critical vulnerability with DDIO that allows compromised servers in a network to steal data from every other machine on its local network. This include the ability to obtain keystrokes and other sensitive data flowing through the memory of vulnerable servers. This effect is compounded in data centers that have not just DDIO, but also RDMA (remote direct memory access) enabled, in which a single server can compromise an entire network. RDMA is a key ingredient in shoring up performance in HPCs and supercomputing environments. Intel in its initial response asked customers to disable DDIO and RDMA on machines with access to untrusted networks, while it works on patches.

The NetCAT vulnerability spells big trouble for web hosting providers. If a hacker leases a server in a data-center with RDMA and DDIO enabled, they can compromise other customers' servers and steal their data. "While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future," the paper reads. We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse." The team also published a video briefing the nature of NetCAT. AMD EPYC processors don't support DDIO.
The video detailing NetCAT follows.

Source: Arstechnica
Add your own comment

38 Comments on New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data

#26
mouacyk
that allows compromised servers in a network to steal data from every other machine on its local network
Sounds like one needed to have a bigger problem in the first place.
Posted on Reply
#27
londiste
https://www.vusec.net/projects/netcat/"
More precisely, with NetCAT, we can leak the arrival time of the individual network packets from a SSH session using a remote cache side channel. Why is this useful? In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet. Now, humans have distinct typing patterns. For example, typing ‘s’ right after ‘a’ is faster than typing ‘g’ after ‘s’. As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.
Posted on Reply
#28
Steevo
londiste, post: 4114630, member: 169790"

If (insert social media) can tell where I want to eat, where I bank, what kind of car I drive, where I live, know my phone number and much else only a little more info is needed to unlock the rest of who anyone is, and this is that key.
Posted on Reply
#29
LocutusH
"AMD EPYC processors don't support DDIO. "

How convenient...
Posted on Reply
#30
1d10t
"
DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache,
:wtf:
To my knowledge, remote session had to pass through BMC and gain elevated privilege within SPI. So either Intel screwed big time with their APM or they didn't have working TPM like EPYC. This is embarrassing to say the least, although with just simple firmwire they can patch it :shadedshu:
Posted on Reply
#31
londiste
The attack vector is legitimate and it needs to be plugged but the issue is not as severe or as easy to exploit as demo and description in news implies.

tl;dr
- Attacker and Victim are connected to the same third machine (lets call it server for now). Separate NICs on server, so attacker and victim have no other point of contact.
- Victim has an interactive SSL session (every key press immediately sends a package).
- With some preparation, attacking computer can watch RX Buffer in the server where victim is transferring data to.
- Comparing the times packets were sent by attacker and times packets were detected to be received, attacker can determine when packets were received.
- Next, a good data set and cool algorithm is applied to the packet times (or more precisely inter-packet times) to predict what word was likely typed.

Basically, the information gathered is that there was a package received along with timing.
Busy network would throw some wrenches into this. The victim in the example video uses automated typing based on trained data which makes it a little less impressive.
Posted on Reply
#32
eidairaman1
The Exiled Airman
yoyo2004, post: 4114449, member: 134165"
This sort of news is getting old :laugh:
oldtimenoob, post: 4114451, member: 179258"
Here we go again ;)
Jem991, post: 4114458, member: 178205"
"Security" Not realy
Candor, post: 4114461, member: 180101"
Leadership in vulnerability ;)
delshay, post: 4114487, member: 171810"
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
RichF, post: 4114490, member: 154826"
Consumers shouldn't know about the defects in the products they're sold, eh?
oldtimenoob, post: 4114492, member: 179258"
Maybe some hackers will also now know....
RichF, post: 4114497, member: 154826"
When defects exist in products consumers have their hands on, it should always be assumed that the defects are known.

This should be a basic guiding principle. With transparency comes responsibility.

The notion that various 3rd-parties, various corporations with their particular corporate agendas, various executives with stocks to sell, various controversial agencies, should be able to trump press freedom is odious at best.

Besides, as I noted, consumers have an inherent right to know what it is that they bought. Money is life abstracted. When someone hands over a portion of their life for a product they deserve to know what they gave some of their life to get.
Vinska, post: 4114498, member: 97223"
>We initiated a coordinated disclosure process with Intel and NCSC (the Dutch national CERT) on June 23, 2019. The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

As always* the vendor was informed way before the public for this exact reason, to evaluate and prepare mitigations.

*'cept that time "they" tried to short-sell AMD ayy lmao
RichF, post: 4114503, member: 154826"
That's debatable.

Personally, I think protecting the public welfare ranks well below some other agendas, when it comes to those managing these matters. Otherwise, transparency, not censorship, would be the method not the objection.

Underlying all of this is the argument that freedom of the press should be suspended whenever there is a security flaw in a product. Unacceptable. People have the right to know what defects are in the products they bought, immediately upon discovery of those defects — not when Google nor any other corporation deigns to tell them — not when people have been able to game the stock market and the PR arena.
delshay, post: 4114512, member: 171810"
As long as it is fixed who cares. If you keep pushing & poking at any hardware long enough you will always find something.
Arc1t3ct, post: 4114542, member: 190440"
Will this nightmare ever end?
Crackong, post: 4114560, member: 185495"
I am NOT surprised
Steevo, post: 4114596, member: 19251"
Lol. When can we assume that Intel threw security out the window to get performance way back when C2D was new and just never bothered to stop and fix it, cause they were the king of performance.
yakk, post: 4114624, member: 158293"
Looks like Intel & Security are a dichotomy at this point :slap:

Safe to say anything closed source can have hidden vulnerabilities. This just makes open source keep looking better and better all the time...
Intel sewed bad seed with their bribes/arrogance/ignorance, now they are facing the wrath of their bad crop
Posted on Reply
#33
GreiverBlade
"DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache, completely bypassing the a server's RAM, to increase NIC performance and lower latencies. "
ok now we see that all "Intel-exclusive performance enhancement" that give them a "performance edge" over the concurrence are bound to be security vulnerability ....

sooo, basically once patched these "enhancement" (read underhanded tricks) will not be "enhancement" anymore i wonder how much % will they lose this time (ofc for the mass it means literally nothing and the difference is not so much noticeable on a daily use basis .... but still ... )

bottom line ... "if you are faster than your concurrent using exploitable performances enhancement, it would be better to be on the same level as them, be more secure and priced adequately."

"Intel is superior, you get what you pay for, 9900KS king of the desktop, Xeon King of your datacenter, all for the safe data, real world matter!"
Posted on Reply
#34
GamerGuy
delshay, post: 4114487, member: 171810"
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
Whoa, isn't this the old Ostrich burying its head in a hole philosophy? Intel/AMD consumers should be made aware of vulnerabilities of their CPU's , which can be exploited, so that they can at least pressure Intel (or AMD for the matter) to ensure that the vulnerabilities are patched.
Posted on Reply
#35
RichF
Mysteoa, post: 4114612, member: 136867"
The statement that AMD gave regarding opening sourcing their Security Engine is that it contains license parts and they will get in trouble if they share it.
Londo Mollari's little friend on his shoulder was licensed, too.
Posted on Reply
#38
R-T-B
oldtimenoob, post: 4114492, member: 179258"
Maybe some hackers will also now know....
The hackers are plenty capable of figuring it out on their own... and no, they don't learn from "youtube vids". :laugh:

This only affects Server chips/chipset combos though. And it's isolated to lan use cases. Low risk factor, IMO.
Posted on Reply
Add your own comment