Wednesday, September 11th 2019
New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data
DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache, completely bypassing the a server's RAM, to increase NIC performance and lower latencies. Cybersecurity researchers from the Vrije Universiteit Amsterdam and ETH Zurich, in a research paper published on Tuesday, have discovered a critical vulnerability with DDIO that allows compromised servers in a network to steal data from every other machine on its local network. This include the ability to obtain keystrokes and other sensitive data flowing through the memory of vulnerable servers. This effect is compounded in data centers that have not just DDIO, but also RDMA (remote direct memory access) enabled, in which a single server can compromise an entire network. RDMA is a key ingredient in shoring up performance in HPCs and supercomputing environments. Intel in its initial response asked customers to disable DDIO and RDMA on machines with access to untrusted networks, while it works on patches.
The NetCAT vulnerability spells big trouble for web hosting providers. If a hacker leases a server in a data-center with RDMA and DDIO enabled, they can compromise other customers' servers and steal their data. "While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future," the paper reads. We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse." The team also published a video briefing the nature of NetCAT. AMD EPYC processors don't support DDIO.The video detailing NetCAT follows.
Source:
Arstechnica
The NetCAT vulnerability spells big trouble for web hosting providers. If a hacker leases a server in a data-center with RDMA and DDIO enabled, they can compromise other customers' servers and steal their data. "While NetCAT is powerful even with only minimal assumptions, we believe that we have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future," the paper reads. We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse." The team also published a video briefing the nature of NetCAT. AMD EPYC processors don't support DDIO.The video detailing NetCAT follows.
38 Comments on New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data
How convenient...
To my knowledge, remote session had to pass through BMC and gain elevated privilege within SPI. So either Intel screwed big time with their APM or they didn't have working TPM like EPYC. This is embarrassing to say the least, although with just simple firmwire they can patch it :shadedshu:
tl;dr
- Attacker and Victim are connected to the same third machine (lets call it server for now). Separate NICs on server, so attacker and victim have no other point of contact.
- Victim has an interactive SSL session (every key press immediately sends a package).
- With some preparation, attacking computer can watch RX Buffer in the server where victim is transferring data to.
- Comparing the times packets were sent by attacker and times packets were detected to be received, attacker can determine when packets were received.
- Next, a good data set and cool algorithm is applied to the packet times (or more precisely inter-packet times) to predict what word was likely typed.
Basically, the information gathered is that there was a package received along with timing.
Busy network would throw some wrenches into this. The victim in the example video uses automated typing based on trained data which makes it a little less impressive.
ok now we see that all "Intel-exclusive performance enhancement" that give them a "performance edge" over the concurrence are bound to be security vulnerability ....
sooo, basically once patched these "enhancement" (read underhanded tricks) will not be "enhancement" anymore i wonder how much % will they lose this time (ofc for the mass it means literally nothing and the difference is not so much noticeable on a daily use basis .... but still ... )
bottom line ... "if you are faster than your concurrent using exploitable performances enhancement, it would be better to be on the same level as them, be more secure and priced adequately."
"Intel is superior, you get what you pay for, 9900KS king of the desktop, Xeon King of your datacenter, all for the safe data, real world matter!"
www.intel.com/content/www/us/en/io/data-direct-i-o-technology.html
This only affects Server chips/chipset combos though. And it's isolated to lan use cases. Low risk factor, IMO.