NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs

NetCAT: New Attack Lets Hackers Remotely Steal Data From Intel CPUs

Unlike previous side-channel vulnerabilities disclosed in Intel CPUs, researchers have discovered a new flaw that can be exploited remotely over the network without requiring an attacker to have physical access or any malware installed on a targeted computer.

Dubbed

NetCAT

, short for Network Cache ATtack, the new network-based

side-channel vulnerability

could allow a remote attacker to sniff out sensitive data, such as someone’s SSH password, from Intel’s CPU cache.

Discovered by a team of security researchers from the Vrije University in Amsterdam, the vulnerability, tracked as CVE-2019-11184, resides in a performance optimization feature called Intel’s DDIO—short for Data-Direct I/O—which by design grants network devices and other peripherals access to the CPU cache.

The DDIO comes enabled by default on all Intel server-grade processors since 2012, including Intel Xeon E5, E7 and SP families.

According to the researchers [

paper

], NetCAT attack works similar to

Throwhammer

by solely sending specially crafted network packets to a targeted computer that has Remote Direct Memory Access (RDMA) feature enabled.

RDMA enables attackers to spy on remote server-side peripherals such as network cards and observe the timing difference between a network packet that is served from the remote processor’s cache versus a packet served from memory.

VIDEO

Here the idea is to perform a keystroke timing analysis to recover words typed by a victim using a machine learning algorithm against the time information.

“In an interactive SSH session, every time you press a key, network packets are being directly transmitted. As a result, every time a victim you type a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet,” explains the VUSec team.

“Now, humans have distinct typing patterns. For example, typing’s’ right after ‘a’ is faster than typing ‘g’ after’s.’ As a result, NetCAT can operate statical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session.”

“Compared to a native local attacker, NetCAT’s attack from across the network only reduces the accuracy of the discovered keystrokes on average by 11.7% by discovering inter-arrival of SSH packets with a true positive rate of 85%.”

The VUSec team has also published a video, as shown above, demonstrating a method for spying on SSH sessions in real-time with nothing but a shared server.

NetCAT becomes the new 

side-channel vulnerability

joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including

Meltdown and Spectre

,

TLBleed

,

Foreshadow

SWAPGS

, and

PortSmash

.

In its advisory, Intel has acknowledged the issue and recommended users to either completely disable DDIO or at least RDMA to make such attacks more difficult, or otherwise suggested to limit direct access to the servers from untrusted networks.

The company assigned the NetCAT vulnerability a “low” severity rating, describing it as a partial information disclosure issue, and awarded a bounty to the VUSec team for the responsible disclosure.

via The Hacker News https://thehackernews.com/
Link : https://thehackernews.com/
September 11, 2019 at 03:11PM

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *