Intel's server-centric processors have been hit by yet another side-channel hardware flaw, allowing attackers to monitor supposedly protected traffic - including encrypted passwords - over the network.
Building on a dizzying array of side-channel attacks exploiting design flaws in modern processors, which began to surface in January 2018 with the Meltdown and Spectre families of vulnerabilities, researchers at VU Amsterdam have identified a new flaw affecting Intel chips: NetCAT, which exploits side-channel vulnerabilities to steal privileged information - including keystrokes in an otherwise-encrypted SSH session - over the network.
'NetCAT shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access,' the researchers explain. 'The root cause of the vulnerability is a recent Intel feature called DDIO [Data-Direct I/O], which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimisation in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.'
The flaw exists only in Intel's server-centric Xeon family of processors, with its client-side Core and related chips lacking the vulnerable DDIO functionality. More worryingly, however, the feature comes enabled by default where present. 'Intel agrees this is a significant vulnerability, having awarded NetCAT a bounty and recommending users to "limit direct access from untrusted networks when DDIO & RDMA [Remote Direct Memory Access] are enabled." This essentially means that in untrusted network environments DDIO and/or RDMA should be disabled to provide security. To the best of our knowledge, this is the first time a major hardware vendor like Intel cautions against using a CPU feature in untrusted local networks.'
Intel, unsurprisingly, is downplaying the severity of the flaw. 'This issue has a low CVSS base score of 2.6. In scenarios where Intel DDIO and RDMA are enabled, strong security controls on a secured network are required, as a malicious actor would need to have read/write RDMA access on a target machine using Intel DDIO to use this exploit,' the company explains in its security notice. 'In the complex scenarios where Intel DDIO and RDMA are typically used, such as massively parallel computing clusters, malicious actors typically don't have direct access from untrusted networks.'
The flaw affects all Intel Xeon E5, E7, and SP chips that include DDIO and RDMA support; Intel has not released any patches, instead advising users to work around the problem by limiting direct access to servers from untrusted networks or disabling DDIO and RDMA support - and taking the performance hit that results.
Full details on NetCAT are available on the VUSec website.
October 14 2019 | 14:00