• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data

Mussels

Moderprator
Staff member
Joined
Oct 6, 2004
Messages
47,295 (8.66/day)
Location
Australalalalalaia.
System Name Big Fella
Processor Ryzen R7 2700X (stock/XFR OC)
Motherboard Asus B450-i ITX
Cooling Corsair H110 W/ Corsair ML RGB fans
Memory 16GB DDR4 3200 Corsair Vengeance RGB Pro
Video Card(s) MSI GTX 1080 Gaming X (BIOS mod to Gaming Z) w/ Corsair H55 AIO
Storage 1TB Sasmsung 970 Pro NVME + 1TB Intel 6000 Pro NVME
Display(s) Phillips 328m6fjrmb (32" 1440p 144hz curved) + Sony KD-55X8500F (55" 4K HDR)
Case Fractal Design Nano S
Audio Device(s) Razer Leviathan + Corsair Void pro RGB, Blue Yeti mic
Power Supply Corsair HX 750i (Platinum, fan off til 300W)
Mouse Logitech G903 + PowerPlay mousepad
Keyboard Corsair K65 Rapidfire
Software Windows 10 pro x64 (all systems)
Benchmark Scores Laptops: i7-4510U + 840M 2GB (touchscreen) 275GB SSD + 16GB i7-2630QM + GT 540M + 8GB
Oof, this one actually sounds like it can do some serious damage out in the wild
 
Joined
Feb 1, 2013
Messages
451 (0.19/day)
System Name Gentoo64 /w Cold Coffee
Processor 9900K 5GHz 1.224v
Motherboard EVGA Z370 Micro
Cooling Custom 480mm H2O, Raystorm Pro, Nemesis GTX, EK-XRES
Memory 2x8GB Trident Z 4000-16-1T 1.425v
Video Card(s) MSI Seahawk EK X 1080Ti 2100.5/12600
Storage Samsung 970 EVO 500GB
Display(s) XB271HU 165Hz
Case FT03-T
Audio Device(s) SBz
Power Supply SS-850KM3
Mouse G502
Keyboard G710+
Software Gentoo 64-bit, Windows 7 64-bit
Benchmark Scores http://www.userbenchmark.com/UserRun/7242501
that allows compromised servers in a network to steal data from every other machine on its local network
Sounds like one needed to have a bigger problem in the first place.
 
Joined
Feb 3, 2017
Messages
1,721 (1.79/day)
Processor i5-8400
Motherboard ASUS ROG STRIX Z370-I GAMING
Cooling Alpenföhn Black Ridge
Memory 2*16GB DDR4-3200 CL16
Video Card(s) Gainward GeForce RTX 2080 Phoenix
Storage 1TB Samsung 970 Pro, 2TB Intel 660p
Display(s) ASUS PG279Q, Eizo EV2736W
Case Dan Cases A4-SFX
Power Supply Corsair SF600
Mouse Logitech G700
Keyboard Corsair K60
https://www.vusec.net/projects/netcat/ said:
More precisely, with NetCAT, we can leak the arrival time of the individual network packets from a SSH session using a remote cache side channel. Why is this useful? In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet. Now, humans have distinct typing patterns. For example, typing ‘s’ right after ‘a’ is faster than typing ‘g’ after ‘s’. As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.
 
Joined
Nov 4, 2005
Messages
10,380 (2.05/day)
System Name MoFo 2
Processor AMD PhenomII 1100T @ 4.2Ghz
Motherboard Asus Crosshair IV
Cooling Swiftec 655 pump, Apogee GT,, MCR360mm Rad, 1/2 loop.
Memory 8GB DDR3-2133 @ 1900 8.9.9.24 1T
Video Card(s) HD7970 1250/1750
Storage Agility 3 SSD 6TB RAID 0 on RAID Card
Display(s) 46" 1080P Toshiba LCD
Case Rosewill R6A34-BK modded (thanks to MKmods)
Audio Device(s) ATI HDMI
Power Supply 750W PC Power & Cooling modded (thanks to MKmods)
Software A lot.
Benchmark Scores Its fast. Enough.
If (insert social media) can tell where I want to eat, where I bank, what kind of car I drive, where I live, know my phone number and much else only a little more info is needed to unlock the rest of who anyone is, and this is that key.
 
Joined
Jun 25, 2014
Messages
79 (0.04/day)
System Name Ryzen shine, Mr Freeman
Processor 3700X
Motherboard ASRock X470 Taichi Ultimate
Cooling NH-D15S
Memory Ballistix LT 2x16GB white 3200
Video Card(s) GeForce GTX 1070FE
Storage 500GB-970EVOplus, 256GB-850Pro, 1TB-860EVO
Display(s) LG OLED 55B8
Case Fractal Meshify C White TG
Audio Device(s) Xonar Essence STU, Mackie MR5+MR10S, HD598
Power Supply Seasonic Prime Titanium 850W
Mouse GPW
Keyboard Fnatic Streak
"AMD EPYC processors don't support DDIO. "

How convenient...
 
Joined
Sep 28, 2012
Messages
250 (0.10/day)
System Name 12 Wheeler Dump Truck
Processor AMD Ryzen 5 2600
Motherboard Gigabyte x470 Aorus Ultra
Cooling All stocks
Memory 32 GB Team Delta DDR4 3000Mhz
Video Card(s) XFX RX Vega 56 CrossfireX
Storage Samsung 960 Evo 500GB + 12TB Toshiba
Display(s) Viewsonic XG3240C
Case Phanteks Eclipse P400
Audio Device(s) crappy onboard to heavily modded Logitech z5500
Power Supply Seasonic Prime Ultra Titanium 650TR
Mouse Logitech G 304 wireless
Keyboard Logitech G710+
Software running many VM's
Benchmark Scores Who need bench when everything already fast?
DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache,
:wtf:
To my knowledge, remote session had to pass through BMC and gain elevated privilege within SPI. So either Intel screwed big time with their APM or they didn't have working TPM like EPYC. This is embarrassing to say the least, although with just simple firmwire they can patch it :shadedshu:
 
Joined
Feb 3, 2017
Messages
1,721 (1.79/day)
Processor i5-8400
Motherboard ASUS ROG STRIX Z370-I GAMING
Cooling Alpenföhn Black Ridge
Memory 2*16GB DDR4-3200 CL16
Video Card(s) Gainward GeForce RTX 2080 Phoenix
Storage 1TB Samsung 970 Pro, 2TB Intel 660p
Display(s) ASUS PG279Q, Eizo EV2736W
Case Dan Cases A4-SFX
Power Supply Corsair SF600
Mouse Logitech G700
Keyboard Corsair K60
The attack vector is legitimate and it needs to be plugged but the issue is not as severe or as easy to exploit as demo and description in news implies.

tl;dr
- Attacker and Victim are connected to the same third machine (lets call it server for now). Separate NICs on server, so attacker and victim have no other point of contact.
- Victim has an interactive SSL session (every key press immediately sends a package).
- With some preparation, attacking computer can watch RX Buffer in the server where victim is transferring data to.
- Comparing the times packets were sent by attacker and times packets were detected to be received, attacker can determine when packets were received.
- Next, a good data set and cool algorithm is applied to the packet times (or more precisely inter-packet times) to predict what word was likely typed.

Basically, the information gathered is that there was a package received along with timing.
Busy network would throw some wrenches into this. The victim in the example video uses automated typing based on trained data which makes it a little less impressive.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
27,116 (6.07/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
This sort of news is getting old :laugh:
Here we go again ;)
"Security" Not realy
Leadership in vulnerability ;)
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
Consumers shouldn't know about the defects in the products they're sold, eh?
Maybe some hackers will also now know....
When defects exist in products consumers have their hands on, it should always be assumed that the defects are known.

This should be a basic guiding principle. With transparency comes responsibility.

The notion that various 3rd-parties, various corporations with their particular corporate agendas, various executives with stocks to sell, various controversial agencies, should be able to trump press freedom is odious at best.

Besides, as I noted, consumers have an inherent right to know what it is that they bought. Money is life abstracted. When someone hands over a portion of their life for a product they deserve to know what they gave some of their life to get.
>We initiated a coordinated disclosure process with Intel and NCSC (the Dutch national CERT) on June 23, 2019. The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

As always* the vendor was informed way before the public for this exact reason, to evaluate and prepare mitigations.

*'cept that time "they" tried to short-sell AMD ayy lmao
That's debatable.

Personally, I think protecting the public welfare ranks well below some other agendas, when it comes to those managing these matters. Otherwise, transparency, not censorship, would be the method not the objection.

Underlying all of this is the argument that freedom of the press should be suspended whenever there is a security flaw in a product. Unacceptable. People have the right to know what defects are in the products they bought, immediately upon discovery of those defects — not when Google nor any other corporation deigns to tell them — not when people have been able to game the stock market and the PR arena.
As long as it is fixed who cares. If you keep pushing & poking at any hardware long enough you will always find something.
Will this nightmare ever end?
I am NOT surprised
Lol. When can we assume that Intel threw security out the window to get performance way back when C2D was new and just never bothered to stop and fix it, cause they were the king of performance.
Looks like Intel & Security are a dichotomy at this point :slap:

Safe to say anything closed source can have hidden vulnerabilities. This just makes open source keep looking better and better all the time...

Intel sewed bad seed with their bribes/arrogance/ignorance, now they are facing the wrath of their bad crop
 
Joined
May 9, 2012
Messages
6,598 (2.45/day)
Location
Ovronnaz, Wallis, Switzerland
System Name Monster Panzer Max [MPM]/Nostalg33k/Fiio X5 3rd gen/Odroid C2/Pocophone F1
Processor i5-6600K 3.9/E8500/RK3188/S905 4X1.5 A53/Snapdragon 845 4xKryo 385 Gold 2.8+4xKryo 385 Silver 1.8
Motherboard Gigabyte Z170X Gaming 7/XFX 650i Ultra/Fiio/Hardkernel Odroid C2/uh?
Cooling Corsair H115i /Alphacool Eisberg /uh?/Aluminum heatsink/Heatpipe
Memory 4x4gb HyperX Predator 2800 CL14/2gb DDR2 800/1gb/2gb LPDDR3/6gb LPDDR4X dual channel
Video Card(s) MSI GTX 1070 ARMOR 8gb OC/Asus 8800 Ultra/Mali 400MP4/Mali 450MP5/Adreno 630 710Mhz
Storage 120gb OCZ VertexIII,1tb/8gb SSHD,2xToshiba 1tb/none/32gb+64gb/32gb/128gb UFS 2.1+128gb UHSI U3
Display(s) Medion X58222 32"5ms OC 75hz 2880x1620/Philips 273E3LHSB 27"1ms 1920x1080/~4" 480x800/6.18"2246x1080
Case Cougar Panzer Max/none/Aluminum and tempered glass/None/polycarbonate + GG3
Audio Device(s) Fiio Q1 Mark II+Logitec Z333/SB Audigy2 Platinum/dual AK4490EN /Odroid HiFi Shield+/Trn V60/Fiio Fa1
Power Supply Seasonic M12II Evo 750 /Enermax Coolergiant 480/12v 1.5A/Poco QC3.0 9-12V 1.96A
Mouse Asus ROG Spatha/touch/Minix Neo A2 Lite/touch
Keyboard GMMK TKL+Gateron Red+white keys/touch/Minix Neo A2 Lite/touch
Software Win10 64/none/Android 5.1.1 custom/Libreelec, Lakka 2.1 or Volumio 2.344/Android 9.0.0
Benchmark Scores bench...mark? i do leave mark on bench sometime, to remember which one is the most comfortable. :o
"DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache, completely bypassing the a server's RAM, to increase NIC performance and lower latencies. "
ok now we see that all "Intel-exclusive performance enhancement" that give them a "performance edge" over the concurrence are bound to be security vulnerability ....

sooo, basically once patched these "enhancement" (read underhanded tricks) will not be "enhancement" anymore i wonder how much % will they lose this time (ofc for the mass it means literally nothing and the difference is not so much noticeable on a daily use basis .... but still ... )

bottom line ... "if you are faster than your concurrent using exploitable performances enhancement, it would be better to be on the same level as them, be more secure and priced adequately."

"Intel is superior, you get what you pay for, 9900KS king of the desktop, Xeon King of your datacenter, all for the safe data, real world matter!"
 
Joined
Dec 26, 2012
Messages
381 (0.15/day)
Location
Babylon 5
System Name DaBeast! DaBeast2! HTPC
Processor AMD AM4 Ryzen 9 3900X/Intel LGA2011 i7 3960X/LGA 1150 i7 4770K
Motherboard Gigabyte X570 Aorus Xtreme/Asus ROG Rampage IV Extreme/ASRock Z87 Extreme6
Cooling Thermaltake Water 3.0 360/Corsair H150i Pro/Thermaltake Floe Riing 360
Memory 32GB XPG D60G DDR4 3200/DDR3 2133Mhz Corsair Dominator Plat/RipJawsX 16GB 1600Mhz
Video Card(s) PowerColor Vega 64 Red Devil/CF 2x Gigabyte RX VEGA 64 Gaming OC/Leadtek GTX 1080
Storage 256GB Sabrent Rocket NVMe PCIe M.2 + 2TB Samsung QVO + 4TB Samsung EVO + 6TB WD Black
Display(s) Acer XR341CK 75Hz Freesync/Samsung LC49HG90DMEX 32:9 Freesync 2/Panasonic 65" UHD TV
Case CoolerMaster H500M/Caselabs Magnum M8/Tt View 31
Audio Device(s) Oppo HA-1 + Philips Fidelio HTL9100/iFi Micro iDSD Black Label/Fostex HPA4
Power Supply Corsair HX1000 Platinum/Seasonic X-1250/Enermax MaxRevo 1500W
Mouse Logitech G703 RGB/Armeggeddon Havoc III/Logitech G603 WL
Keyboard Cooler Master Nova Touch TKL (Topre)/KBT Race II (Cherry MX Blue)/Logitech G613 WL
Software 64bit Win10 Pro/64bit Win10 Pro/64bit Win10 Pro
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
Whoa, isn't this the old Ostrich burying its head in a hole philosophy? Intel/AMD consumers should be made aware of vulnerabilities of their CPU's , which can be exploited, so that they can at least pressure Intel (or AMD for the matter) to ensure that the vulnerabilities are patched.
 
Joined
Jan 15, 2015
Messages
330 (0.19/day)
The statement that AMD gave regarding opening sourcing their Security Engine is that it contains license parts and they will get in trouble if they share it.
Londo Mollari's little friend on his shoulder was licensed, too.
 
Joined
May 13, 2010
Messages
4,945 (1.45/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2650 @ 2.2Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 32GB ECC
Video Card(s) EVGA Nvidia GTX 650 Ti SSC 1GB
Storage 500GB Samsung 850//2TB WD Black
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Windows Server 2012 x64 Standard
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P

Solaris17

Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
20,756 (4.03/day)
Location
Florida
System Name Venslar
Processor I9 7980XE
Motherboard MSI x299 Tomahawk Arctic
Cooling EK Custom
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Nvidia Titan RTX
Storage 2x 2TB Micron SSDs | 1x ADATA 128SSD | 1x Drevo 256SSD | 1x 1TB 850 EVO | 1x 250GB 960 EVO
Display(s) 3x AOC Q2577PWQ (2k IPS)
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Realtek ALC 1220 on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Kone Aimo White
Keyboard Ducky Shine 6 Snow White
Software Windows 10 x64 Pro
Joined
Aug 20, 2007
Messages
11,568 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) Onboard Toslink to Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64
Maybe some hackers will also now know....
The hackers are plenty capable of figuring it out on their own... and no, they don't learn from "youtube vids". :laugh:

This only affects Server chips/chipset combos though. And it's isolated to lan use cases. Low risk factor, IMO.
 
Top