NetCAT vulnerability found in some Intel processors – it allows stealing data over SSH

A mechanism for improving the performance of Intel processors called Direct Data I / O (DDIO) turned out to be connected with the critical vulnerability NetCAT, which allows attackers to intercept keystrokes during SSH connections.   The vulnerability was discovered by cybersecurity researchers from Vrije Universiteit Amsterdam and ETH Zurich. They published a work in which they described the critical vulnerability NetCAT (short for Network Cache Attack), which was possible thanks to support for Data-Direct I / O Technology.   Using this technology, peripherals can directly access data to the processor cache instead of RAM. This mechanism is useful for large data centers, where RAM may not be enough. DDIO has been enabled by default on all Intel server processors (including Intel Xeon E5, E7, and SP) since 2012.   Researchers have found that a useful feature may be in the hands of attackers. They developed a NetCAT attack that helps intercept keystrokes.   Due to this vulnerability, attackers can steal data from all computers on the local network when using hacked servers. Even more serious, this vulnerability manifests itself in data centers, which use not only DDIO, but also RDMA (remote direct memory access). Using this mechanism, only one hacked server can threaten the whole network.   “Despite the fact that NetCAT has great potential even for the most minimal estimates, we believe that [now] removed only the top layer of the capabilities of network attacks on the cache, and we expect similar attacks based on NetCAT in the future,” the researchers say.   They also believe that future attacks may lead to data theft even when RDMA is not enabled. And equipment manufacturers are advised to take care of protecting microarchitecture improvements before introducing them into billions of real servers.   Intel has listened to experts and has already asked owners of systems on Xeon processors to disable DDIO and RDMA on machines with access to untrusted networks. The company’s experts are now working on a fix that should fix the vulnerability. At the same time, according to ArsTechnica, users should remember that in the near future attacks tested by researchers are unlikely to become widespread in the real world.   “NetCAT is a complex attack, and for most attackers it will be more difficult than picking an apple from a branch,” ArsTechnica quotes Cave Razavi, one of Vrije Universiteit’s researchers. “In server settings with unreliable clients, where security is more important than performance, we recommend disabling DDIO.”