• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New NetCAT Vulnerability Exploits DDIO on Intel Xeon Processors to Steal Data

Mussels

Freshwater Moderator
Joined
Oct 6, 2004
Messages
58,413 (7.96/day)
Location
Oystralia
System Name Rainbow Sparkles (Power efficient, <350W gaming load)
Processor Ryzen R7 5800x3D (Undervolted, 4.45GHz all core)
Motherboard Asus x570-F (BIOS Modded)
Cooling Alphacool Apex UV - Alphacool Eisblock XPX Aurora + EK Quantum ARGB 3090 w/ active backplate
Memory 2x32GB DDR4 3600 Corsair Vengeance RGB @3866 C18-22-22-22-42 TRFC704 (1.4V Hynix MJR - SoC 1.15V)
Video Card(s) Galax RTX 3090 SG 24GB: Underclocked to 1700Mhz 0.750v (375W down to 250W))
Storage 2TB WD SN850 NVME + 1TB Sasmsung 970 Pro NVME + 1TB Intel 6000P NVME USB 3.2
Display(s) Phillips 32 32M1N5800A (4k144), LG 32" (4K60) | Gigabyte G32QC (2k165) | Phillips 328m6fjrmb (2K144)
Case Fractal Design R6
Audio Device(s) Logitech G560 | Corsair Void pro RGB |Blue Yeti mic
Power Supply Fractal Ion+ 2 860W (Platinum) (This thing is God-tier. Silent and TINY)
Mouse Logitech G Pro wireless + Steelseries Prisma XL
Keyboard Razer Huntsman TE ( Sexy white keycaps)
VR HMD Oculus Rift S + Quest 2
Software Windows 11 pro x64 (Yes, it's genuinely a good OS) OpenRGB - ditch the branded bloatware!
Benchmark Scores Nyooom.
Oof, this one actually sounds like it can do some serious damage out in the wild
 
Joined
Feb 1, 2013
Messages
1,264 (0.29/day)
System Name Gentoo64 /w Cold Coffee
Processor 9900K 5.2GHz @1.312v
Motherboard MXI APEX
Cooling Raystorm Pro + 1260mm Super Nova
Memory 2x16GB TridentZ 4000-14-14-28-2T @1.6v
Video Card(s) RTX 4090 LiquidX Barrow 3015MHz @1.1v
Storage 660P 1TB, 860 QVO 2TB
Display(s) LG C1 + Predator XB1 QHD
Case Open Benchtable V2
Audio Device(s) SB X-Fi
Power Supply MSI A1000G
Mouse G502
Keyboard G815
Software Gentoo/Windows 10
Benchmark Scores Always only ever very fast
that allows compromised servers in a network to steal data from every other machine on its local network

Sounds like one needed to have a bigger problem in the first place.
 
Joined
Feb 3, 2017
Messages
3,731 (1.32/day)
Processor Ryzen 7800X3D
Motherboard ROG STRIX B650E-F GAMING WIFI
Memory 2x16GB G.Skill Flare X5 DDR5-6000 CL36 (F5-6000J3636F16GX2-FX5)
Video Card(s) INNO3D GeForce RTX™ 4070 Ti SUPER TWIN X2
Storage 2TB Samsung 980 PRO, 4TB WD Black SN850X
Display(s) 42" LG C2 OLED, 27" ASUS PG279Q
Case Thermaltake Core P5
Power Supply Fractal Design Ion+ Platinum 760W
Mouse Corsair Dark Core RGB Pro SE
Keyboard Corsair K100 RGB
VR HMD HTC Vive Cosmos
https://www.vusec.net/projects/netcat/ said:
More precisely, with NetCAT, we can leak the arrival time of the individual network packets from a SSH session using a remote cache side channel. Why is this useful? In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet. Now, humans have distinct typing patterns. For example, typing ‘s’ right after ‘a’ is faster than typing ‘g’ after ‘s’. As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.
 
Joined
Nov 4, 2005
Messages
11,963 (1.72/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs, 24TB Enterprise drives
Display(s) 55" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
If (insert social media) can tell where I want to eat, where I bank, what kind of car I drive, where I live, know my phone number and much else only a little more info is needed to unlock the rest of who anyone is, and this is that key.
 
Joined
Jun 25, 2014
Messages
164 (0.04/day)
System Name Ryzen shine, Mr Freeman
Processor 5900X
Motherboard ASUS X570 Dark Hero
Cooling Arctic Liquid Freezer II 360 ARGB
Memory 32GB TridentZ Neo 3600 CL14
Video Card(s) 3080TI FE with Alphacool Eiswolf AIO
Storage 2TB 970 EVO PLUS, 1TB 980
Display(s) LG OLED 55CX
Case O11D XL Black
Audio Device(s) Xonar Essence STU, Mackie MR5+MR10S, HD598
Power Supply Seasonic Prime Titanium 850W
Mouse GPW
Keyboard G815
"AMD EPYC processors don't support DDIO. "

How convenient...
 
Joined
Sep 28, 2012
Messages
979 (0.22/day)
System Name Poor Man's PC
Processor AMD Ryzen 7 7800X3D
Motherboard MSI B650M Mortar WiFi
Cooling Thermalright Phantom Spirit 120 with Arctic P12 Max fan
Memory 32GB GSkill Flare X5 DDR5 6000Mhz
Video Card(s) XFX Merc 310 Radeon RX 7900 XT
Storage XPG Gammix S70 Blade 2TB + 8 TB WD Ultrastar DC HC320
Display(s) Xiaomi G Pro 27i MiniLED
Case Asus A21 Case
Audio Device(s) MPow Air Wireless + Mi Soundbar
Power Supply Enermax Revolution DF 650W Gold
Mouse Logitech MX Anywhere 3
Keyboard Logitech Pro X + Kailh box heavy pale blue switch + Durock stabilizers
VR HMD Meta Quest 2
Benchmark Scores Who need bench when everything already fast?
DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache,

:wtf:
To my knowledge, remote session had to pass through BMC and gain elevated privilege within SPI. So either Intel screwed big time with their APM or they didn't have working TPM like EPYC. This is embarrassing to say the least, although with just simple firmwire they can patch it :shadedshu:
 
Joined
Feb 3, 2017
Messages
3,731 (1.32/day)
Processor Ryzen 7800X3D
Motherboard ROG STRIX B650E-F GAMING WIFI
Memory 2x16GB G.Skill Flare X5 DDR5-6000 CL36 (F5-6000J3636F16GX2-FX5)
Video Card(s) INNO3D GeForce RTX™ 4070 Ti SUPER TWIN X2
Storage 2TB Samsung 980 PRO, 4TB WD Black SN850X
Display(s) 42" LG C2 OLED, 27" ASUS PG279Q
Case Thermaltake Core P5
Power Supply Fractal Design Ion+ Platinum 760W
Mouse Corsair Dark Core RGB Pro SE
Keyboard Corsair K100 RGB
VR HMD HTC Vive Cosmos
The attack vector is legitimate and it needs to be plugged but the issue is not as severe or as easy to exploit as demo and description in news implies.

tl;dr
- Attacker and Victim are connected to the same third machine (lets call it server for now). Separate NICs on server, so attacker and victim have no other point of contact.
- Victim has an interactive SSL session (every key press immediately sends a package).
- With some preparation, attacking computer can watch RX Buffer in the server where victim is transferring data to.
- Comparing the times packets were sent by attacker and times packets were detected to be received, attacker can determine when packets were received.
- Next, a good data set and cool algorithm is applied to the packet times (or more precisely inter-packet times) to predict what word was likely typed.

Basically, the information gathered is that there was a package received along with timing.
Busy network would throw some wrenches into this. The victim in the example video uses automated typing based on trained data which makes it a little less impressive.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
41,913 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
This sort of news is getting old :laugh:
Here we go again ;)
"Security" Not realy
Leadership in vulnerability ;)
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
Consumers shouldn't know about the defects in the products they're sold, eh?
Maybe some hackers will also now know....
When defects exist in products consumers have their hands on, it should always be assumed that the defects are known.

This should be a basic guiding principle. With transparency comes responsibility.

The notion that various 3rd-parties, various corporations with their particular corporate agendas, various executives with stocks to sell, various controversial agencies, should be able to trump press freedom is odious at best.

Besides, as I noted, consumers have an inherent right to know what it is that they bought. Money is life abstracted. When someone hands over a portion of their life for a product they deserve to know what they gave some of their life to get.
>We initiated a coordinated disclosure process with Intel and NCSC (the Dutch national CERT) on June 23, 2019. The vulnerability was acknowledged by Intel with a bounty and CVE-2019-11184 was assigned to track this issue. The public disclosure was on September 10, 2019.

As always* the vendor was informed way before the public for this exact reason, to evaluate and prepare mitigations.

*'cept that time "they" tried to short-sell AMD ayy lmao
That's debatable.

Personally, I think protecting the public welfare ranks well below some other agendas, when it comes to those managing these matters. Otherwise, transparency, not censorship, would be the method not the objection.

Underlying all of this is the argument that freedom of the press should be suspended whenever there is a security flaw in a product. Unacceptable. People have the right to know what defects are in the products they bought, immediately upon discovery of those defects — not when Google nor any other corporation deigns to tell them — not when people have been able to game the stock market and the PR arena.
As long as it is fixed who cares. If you keep pushing & poking at any hardware long enough you will always find something.
Will this nightmare ever end?
I am NOT surprised
Lol. When can we assume that Intel threw security out the window to get performance way back when C2D was new and just never bothered to stop and fix it, cause they were the king of performance.
Looks like Intel & Security are a dichotomy at this point :slap:

Safe to say anything closed source can have hidden vulnerabilities. This just makes open source keep looking better and better all the time...


Intel sewed bad seed with their bribes/arrogance/ignorance, now they are facing the wrath of their bad crop
 
Joined
May 9, 2012
Messages
8,509 (1.86/day)
Location
Ovronnaz, Wallis, Switzerland
System Name main/SFFHTPCARGH!(tm)/Xiaomi Mi TV Stick/Samsung Galaxy S23/Ally
Processor Ryzen 7 5800X3D/i7-3770/S905X/Snapdragon 8 Gen 2/Ryzen Z1 Extreme
Motherboard MSI MAG B550 Tomahawk/HP SFF Q77 Express/uh?/uh?/Asus
Cooling Enermax ETS-T50 Axe aRGB /basic HP HSF /errr.../oh! liqui..wait, no:sizable vapor chamber/a nice one
Memory 64gb Corsair Vengeance Pro 3600mhz DDR4/8gb DDR3 1600/2gb LPDDR3/8gb LPDDR5x 4200/16gb LPDDR5
Video Card(s) Hellhound Spectral White RX 7900 XTX 24gb/GT 730/Mali 450MP5/Adreno 740/RDNA3 768 core
Storage 250gb870EVO/500gb860EVO/2tbSandisk/NVMe2tb+1tb/4tbextreme V2/1TB Arion/500gb/8gb/256gb/2tb SN770M
Display(s) X58222 32" 2880x1620/32"FHDTV/273E3LHSB 27" 1920x1080/6.67"/AMOLED 2X panel FHD+120hz/FHD 120hz
Case Cougar Panzer Max/Elite 8300 SFF/None/back/back-front Gorilla Glass Victus 2+ UAG Monarch Carbon
Audio Device(s) Logi Z333/SB Audigy RX/HDMI/HDMI/Dolby Atmos/KZ x HBB PR2/Moondrop Chu II + TRN BT20S
Power Supply Chieftec Proton BDF-1000C /HP 240w/12v 1.5A/4Smart Voltplug PD 30W/Asus USB-C 65W
Mouse Speedlink Sovos Vertical-Asus ROG Spatha-Logi Ergo M575/Xiaomi XMRM-006/touch/touch
Keyboard Endorfy Thock 75% <3/none/touch/virtual
VR HMD Medion Erazer
Software Win10 64/Win8.1 64/Android TV 8.1/Android 13/Win11 64
Benchmark Scores bench...mark? i do leave mark on bench sometime, to remember which one is the most comfortable. :o
"DDIO, or Direct Data I/O, is an Intel-exclusive performance enhancement that allows NICs to directly access a processor's L3 cache, completely bypassing the a server's RAM, to increase NIC performance and lower latencies. "
ok now we see that all "Intel-exclusive performance enhancement" that give them a "performance edge" over the concurrence are bound to be security vulnerability ....

sooo, basically once patched these "enhancement" (read underhanded tricks) will not be "enhancement" anymore i wonder how much % will they lose this time (ofc for the mass it means literally nothing and the difference is not so much noticeable on a daily use basis .... but still ... )

bottom line ... "if you are faster than your concurrent using exploitable performances enhancement, it would be better to be on the same level as them, be more secure and priced adequately."

"Intel is superior, you get what you pay for, 9900KS king of the desktop, Xeon King of your datacenter, all for the safe data, real world matter!"
 
Joined
Dec 26, 2012
Messages
1,133 (0.26/day)
Location
Babylon 5
System Name DaBeast!!! DaBeast2!!!
Processor AMD AM4 Ryzen 7 5700X3D 8C/16T/AMD AM4 RYZEN 9 5900X 12C/24T
Motherboard Gigabyte X570 Aorus Xtreme/Gigabyte X570S Aorus Elite AX
Cooling Thermaltake Water 3.0 360 AIO/Thermalright PA 120 SE
Memory 2x 16GB Corsair Vengeance RGB RT DDR4 3600C16/2x 16GB Patriot Elite II DDR4 4000MHz
Video Card(s) XFX MERC 310 RX 7900 XTX 24GB/Sapphire Nitro+ RX 6900 XT 16GB
Storage 500GB Crucial P3 Plus NVMe PCIe 4x4 + 4TB Lexar NM790 NVMe PCIe 4x4 + TG Cardea Zero Z NVMe PCIe 4x4
Display(s) Samsung LC49HG90DMEX 32:9 144Hz Freesync 2/Acer XR341CK 75Hz 21:9 Freesync
Case CoolerMaster H500M/SOLDAM XR-1
Audio Device(s) iFi Micro iDSD BL + Philips Fidelio B97/FostexHP-A4 + LG SP8YA
Power Supply Corsair HX1000 Platinum/Enermax MAXREVO 1500
Mouse Logitech G303 Shroud Ed/Logitech G603 WL
Keyboard Logitech G915/Keychron K2
Software Win11 Pro/Win11 Pro
I just wish they do these things behind closed doors, ie sent it directly to Intel/AMD to fix because i'm getting bored of this. There's no need for this to be in the public arena.
Whoa, isn't this the old Ostrich burying its head in a hole philosophy? Intel/AMD consumers should be made aware of vulnerabilities of their CPU's , which can be exploited, so that they can at least pressure Intel (or AMD for the matter) to ensure that the vulnerabilities are patched.
 
Joined
Jan 15, 2015
Messages
362 (0.10/day)
The statement that AMD gave regarding opening sourcing their Security Engine is that it contains license parts and they will get in trouble if they share it.
Londo Mollari's little friend on his shoulder was licensed, too.
 
Joined
May 13, 2010
Messages
6,040 (1.14/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 24GB ECC
Video Card(s) Gigabyte Nvidia RTX2060 6GB
Storage 2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Linux Mint 20
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
26,857 (3.82/day)
Location
Alabama
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) 49" Philips Evnia OLED (49M2C8900)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Gunnr
Power Supply Seasonic Prime TX-1600
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.
Joined
Aug 20, 2007
Messages
21,410 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Maybe some hackers will also now know....

The hackers are plenty capable of figuring it out on their own... and no, they don't learn from "youtube vids". :laugh:

This only affects Server chips/chipset combos though. And it's isolated to lan use cases. Low risk factor, IMO.
 
Top