Security researchers have identified a new attack that targets Intel server-level CPUs that could allow SSH passwords to leak. This is a new side-channel attack, dubbed NetCAT, that has an impact across all Intel server-grade processors that have been manufactured since 2012.
While this is clearly a major problem, the researchers say that the problem is not easy to exploit. NetCAT was discovered by researchers with VU Amsterdam, who say bad actors can locate encrypted passwords as users are typing them into a secure shell sessions (SSH).
NetCAT (Network Cache Attack) comes from Intel’s performance technology Data-Direct I/O Technology (DDIO). This is a tool that is on by default in server-grade CPUs, such as Xeon family processors.
By targeting DDIO, a hacker could manage to spot the time when network packets arrive in SSH sessions.
“NetCAT can break the confidentiality of an SSH session from a third machine, without any malicious software running on the remote server or the client which communicate over SSH,” Michael Kurth, one of the researchers with VU Amsterdam who discovered the attack, told Threatpost. “The third machine is not involved at all in the SSH session between the remote server and the client. NetCAT leaks keystrokes of the clients of the target server on their encrypted SSH sessions even if they are on a different network segment than the attacker (so traditional sniffing attacks are not possible).”
DDIO is a tool that allows network devices to access the CPU cache. In this area, attackers can enter and steal password data. This can be achieved by reverse-engineering properties in DDIO. VU Amsterdam researchers say the last-level cache is a resource that is shared amongst CPU cores, providing a door for attackers to access the network.
However, doing that is easier said than done. Attackers would need to use a server under their own control to make contact with the application server with DDIO support. Furthermore, the bad actor would need service network requests from the client of the target.
“In an interactive SSH session, every time you press a key, network packets are being directly transmitted,” researchers say. “As a result, every time a victim types a character inside an encrypted SSH session on your console, NetCAT can leak the timing of the event by leaking the arrival time of the corresponding network packet. Now, humans have distinct typing patterns…. As a result, NetCAT can operate static analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack, to leak what you type in your private SSH session.”
Intel has responded to the situation, saying it would be hard to exploit the vulnerability.
“In scenarios where Intel DDIO and RDMA are enabled, strong security controls on a secured network are required, as a malicious actor would need to have read/write RDMA access on a target machine using Intel DDIO to use this exploit,” Intel said. “In the complex scenarios where Intel DDIO and RDMA are typically used, such as massively parallel computing clusters, malicious actors typically don’t have direct access from untrusted networks.”