Bug 1752738 (CVE-2019-11184, NetCAT)
Summary: | CVE-2019-11184 hardware: Side-channel cache attack against DDIO with RDMA | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Wade Mealing <wmealing> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw has been discovered in which an attacker can infer SSH keystrokes when after a victim connects to a compromised host. The attacker must compromise a server that the victim is connecting to and be able to groom the CPU cache on the system prior to or while a connection is in progress. The attack uses RDMA to groom the cache then measures the response time of cache access to aid in statistical likelihood of an educated guess of keystroke input. This flaw has been branded "NetCat".
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-17 12:45:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1751585 |
Description
Wade Mealing
2019-09-17 06:45:51 UTC
This flaw is rated as low for a number of reasons. The data captures is keystrokes not password data on the initial connection. This configuration is no different than connecting to any other comprimised server that has malicious intent... This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11184 Statement: While the affected software can be run on a Red Hat Enterrprise Linux server, this flaw is not created or solvable at the operating system level. Connecting to an untrusted or compromised host can lead to any information sent to it being stolen. External References: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html https://software.intel.com/security-software-guidance/insights/more-information-netcat https://www.vusec.net/projects/netcat/ https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf Mitigation: This particular attack requires the compromised server to use RDMA and a Intel Xeon CPU. The Intel Xeon CPU family has a specific feature (DDIO) that allows RDMA to use CPU internal cache to improve RDMA performance. The client connecting to the compromised server does not need to use RDMA or DDIO. - This attack is similar to connecting to any other compromised/untrusted host; any untrusted system could already log SSH input. - RDMA is designed to not require operating system interaction, its interactions are between the network card and system hardware. If this functionality is compromised the operating system is unable to affect changes here. While this attack vector does seem unlikely, Red Hat recommends following Intel's instructions. Connecting to a compromised host is not recommended. Red Hat products can 'run' on the affected system but the system design is not something that is solvable in Red Hat products. |