Recent research has unveiled a new side-channel vulnerability in Intel processors that allows remote exploitation without the need for malware or physical access to the targeted machine. This vulnerability, referred to as **NetCAT** (Network Cache ATtack), poses a significant risk by potentially enabling cyber attackers to extract sensitive information, such as SSH passwords, from the CPU cache. The discovery was made by a team of security researchers from Vrije University in Amsterdam and is documented under CVE-2019-11184.
The NetCAT vulnerability is rooted in Intel’s Data-Direct I/O (DDIO) technology, which has been an integral feature of Intel server-grade processors, including the Xeon E5, E7, and SP families since 2012. By allowing network devices to access the CPU cache, this technology inadvertently opens a pathway for malicious actors to perform data exfiltration via specially crafted network packets.
The mechanics of the NetCAT attack bear resemblance to previous techniques like Throwhammer, where attackers utilize Remote Direct Memory Access (RDMA) to probe server-side peripherals. By evaluating differences in packet timing, adversaries can discern whether a packet originated from the processor’s cache or from system memory. This temporal analysis can reveal typing patterns during active sessions, exposing potentially sensitive data being transmitted over a secure SSH connection.
The VUSec team elucidates that in an SSH session, every keystroke generates network traffic that can be monitored. As an attacker, monitoring the timing of these packets enables the identification of user typing behaviors, capitalizing on the inherent variability in human typing patterns. Such statistical analyses can lead to significant information leakage, allowing the NetCAT framework to recognize keystrokes with an accuracy reduction of only 11.7% compared to local attacks.
On a technical note, this vulnerability directly correlates with the MITRE ATT&CK framework, specifically under tactics such as Initial Access and Data Exfiltration. The ability to infiltrate a network remotely and the subsequent capability to extract confidential information aligns closely with established adversary tactics.
In response to these findings, Intel has acknowledged the vulnerability, classifying it as a low-severity risk primarily associated with partial information disclosure. As a precautionary measure, the company advises users to consider disabling DDIO or restricting RDMA configurations to mitigate the risk of such attacks, especially from untrusted networks.
The emergence of NetCAT adds to the growing list of notable vulnerabilities impacting Intel processors, joining the ranks of Meltdown, Spectre, TLBleed, and Foreshadow, among others. As businesses increasingly rely on cloud services and remote computing, understanding and mitigating these vulnerabilities will be crucial for maintaining robust cybersecurity postures.
The researchers have also released a video demonstrating the feasibility of spying on SSH sessions through this vulnerability using a shared server, further emphasizing the need for immediate action among affected entities. For business owners, this development underscores the importance of proactive cybersecurity measures, reinforcing the necessity of staying informed about emerging vulnerabilities and their potential ramifications in today’s digital landscape.