NetCAT side-channel flaw affecting Intel server CPUs could enable attackers to sniff sensitive network data

The weakness affects all Intel chips supporting the RDMA and DDIO features

Security researchers have discovered a new chip-level vulnerability, dubbed NetCAT, affecting Intel's server-grade microprocessors, which could enable attackers to sniff potentially sensitive data over the network.

NetCAT (Network Cache ATtack) affects all Intel chips supporting the Remote Direct Memory Access (RDMA) and Data-Direct I/O (Intel DDIO) features, according to the researcher from Vrije University in Amsterdam, who discovered the security flaw.

The researchers said they have demonstrated that when DDIO and RDMA features are enabled, a side-channel attack on remote, networked computers can be launched to infer specific types of data being processed within the CPU cache. The attack is facilitated through network packets that are sent to a computer's network card.

DDIO technology was introduced by Intel in 2011 to optimise server speeds and to enable them to handle 10-gigabit ethernet connections and higher. When DDIO is enabled peripherals, such as a network card, gain direct access to write data within the CPU cache, instead of random access memory (RAM).

The feature is enabled by default on all Intel server-grade chips manufactured since 2012, for example, Intel Xeon E5 and SP families.

According to researchers, the NetCAT vulnerability could enable attackers to steal data sent as network packets coming directly into the DDIO shared cache. Specifically, the bug enables attackers to infer keystrokes entered in an SSH session taking place on the vulnerable machine.

During an interactive SSH session, network packets are directly transmitted whenever a key is pressed. So, each time a character is typed during an encrypted SSH session, NetCAT leaks the arrival time of the network packet. Because different individuals have distinct typing patterns, NetCAT attackers can perform a statistical analysis of the arrival timings of network packets to infer characters typed during a SSH session.

While NetCAT attack can work with just DDIO feature enabled, it become more effective if RDMA feature is also turned on.

"In our attack, we exploit the fact that the DDIO-enabled application server has a shared resource (the last-level cache) between the CPU cores and the network card," the researchers wrote in an online post.

"We reverse engineered important properties of DDIO to understand how the cache is shared with DDIO. We then use this knowledge to leak sensitive information from the cache of the application server using a cache side-channel attack over the network. To simplify the attack, similar in spirit to Throwhammer, we rely on Remote Direct Memory Access (RDMA) technology. RDMA allows our exploit to surgically control the relative memory location of network packets on the target server."

The researchers said they notified Intel about the issue, which is tracked as CVE-2019-11184.

The company acknowledged the vulnerability and also awarded a bounty for the disclosure.

The detailed findings of the research are available in a paper [pdf] entitled "NetCAT: Practical Cache Attacks from the Network."