Intel CPUs, particularly used in the servers and mainframes, were found to be vulnerable to a security flaw that allows attackers to snoop into data being processed. The security bug within the server-grade Intel Xeon and other similar processors can potentially allow attackers to launch a side-channel attack that can infer what a CPU is working on and intervene to understand and pick up data.

Researchers at Vrije University in Amsterdam reported that Intel’s server-grade processors suffer from a vulnerability. They have dubbed the flaw, which can be classified as severe, as NetCAT. The vulnerability opens up the possibility for attackers to tap into the CPUs running processes and infer the data. The security flaw can be exploited remotely and companies who rely on these Intel Xeon processors can only attempt to minimize the exposure of their servers and mainframes to limit the chances of attacks and data theft attempts.

Intel Xeon CPUs With DDIO and RDMA Technologies Vulnerable:

Security researchers at the Vrije University investigated the security vulnerabilities in details and discovered that only a few specific Intel Zenon CPUs were affected. More importantly, these CPUs needed to have two specific Intel technologies that could be exploited. According to the researchers the attack needed two Intel technologies found primarily in the Xeon CPU line: Data-Direct I/O Technology (DDIO) and Remote Direct Memory Access (RDMA), to be successful. Details about the NetCAT vulnerability is available in a research paper. Officially the NetCAT security flaw has been tagged as CVE-2019-11184.

Intel appears to have acknowledged the security vulnerability in some of the Intel Xeon CPU lineup. The company issued a security bulletin that noted NetCAT affects Xeon E5, E7, and SP processors which support DDIO and RDMA. More specifically, an underlying issue with DDIO enables the side-channel attacks. DDIO has been prevalent in Intel Zenon CPUs since 2012. In other words, several older server-grade Intel Xeon CPUs currently in use in servers and mainframes could be vulnerable.

It is possible to discern someone’s SSH password as they type it into a terminal over the network by exploiting an interesting side-channel vulnerability in Intel’s networking technology, say infosec gurus. And Intel CPU bugs gifts keep coming.

— The Best Linux Blog In the Unixverse (@nixcraft) September 10, 2019

On the other hand, Vrije University’s researchers said that RDMA allows their NetCAT exploit to “surgically control the relative memory location of network packets on the target server.” Simply put, this is a whole another class of attack that can not only sniff out information from the processes that the CPUs are running, but it can also manipulate the same as well.

The vulnerability means that untrusted devices on a network “can now leak sensitive data such as keystrokes in an SSH session from remote servers with no local access.” Needless to say, this is quite a severe security risk that threatens data integrity. Incidentally, Vrije University’s researchers had alerted not only Intel about the security vulnerabilities within the Intel Zenon CPUs but also the Dutch National Cyber Security Centre in the month of June, this year. As a token of appreciation and for coordinating the vulnerability’s disclosure with Intel, the university even received a bounty. The exact amount hasn’t been disclosed, but given the severity of the issue, it could have been substantial.

How To Protect Against NetCAT Security Vulnerability?

Currently, the only assured method to protect against the NetCAT security vulnerability is to completely disable the DDIO feature in its entirety. Moreover, researchers are cautioning that users with the affected Intel Xeon processors should also disable the RDMA feature to be safe. Needless to say, several system administrators may not want to give up DDIO in their servers as it is an important feature.

Intel has noted that Xeon CPU users should “limit direct access from untrusted networks” and use “software modules resistant to timing attacks, using constant-time style code.” The Vrije University researchers, however, insist that mere software module may not be able to truly defend against NetCAT. The modules, could, however, help with similar exploits in the future.