The Privacy Projects

NetCAT Hack Grants Attackers Access to Sensitive Data from Intel

A team of researchers from VUSec Group in the Vrije Universiteit in Amsterdam have found out a new weakness that could be exploited by remote attackers who are looking to get sensitive information by setting a side-channel attack over a network. The experts discovered this flaw and nicknamed it NetCAT (Network Cache Attack). It can do a great deal of damage to all of Intel server-grade processors, as they get sensitive data sniffed from their networks.

The weakness was tracked and labeled as CVE-2019-11184. It’s located in the performance optimization feature named DDIO (Data-Direct I/O). This is a feature that was created to offer access to CPU cache to network devices and external peripherals.

The team intended to show that NetCAT is a threat that extends to several clients not worthy of trust on the network. They can leak sensitive data such as keystrokes in an SSH session on a remote server with no local access. The cause of this vulnerability is DDIO since it grants such broad access to devices without discrimination. Any hacker controlling a machine on the network can use the flaw to get all confidential data they need from a single SSH session.

More About NetCAT and How It Works

The team at VUSec Group also explained that by using a learning algorithm against the time information, it is possible to manage a keystroke timing analysis that would allow hackers to discover the words written by the user. This happens because network packets are transmitted directly. The result is that every time the user types a character on the encrypted SSH session of their console, they will leak the timing of the event as well. The result is full disclosure on the arrival time of the network packet.

Even with the distinct typing patterns of humans, NetCAT can handle statical analysis about the interval timings of each packet. This is also known as a keystroke timing attack, and it’s used to leak every single work typed on a private SSH session. The researchers at VUSec Group also discovered that compared to native local hackers, the NetCAT attack handled by remote attackers loses half the accuracy of keystrokes revealed. The recorded average of local inter-arrival SSH packets has a positive rate of 85%.

Currently, Intel is trying to fix the issue and recommending users to disable DDIO and RDMA to block any form of attack. The multinational suggested limitations on the direct access to the servers from any non-trusted networks. The company has classified this threat as “low” for the time being, and they awarded VUSec Group with an undisclosed sum for their discoveries.