Intel responds to NetCat bug

@ 2019/09/13
Not much to worry about

Intel has responded to the news that a bug, dubbed NetCat, can in specific scenarios abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers saying it is "low severity".

For those who came in late, the warning came from Dutch VUSec security boffins at the Vrije Universiteit Amsterdam but Intel tells us that the issue is low severity.

A spokesman said that Chipzilla received notice of this research and determined it to be low severity (CVSS score of 2.6) primarily due to complexity, user interaction, and the uncommon level of access that would be required in scenarios where DDIO and RDMA are typically used. Additional mitigations include the use of software modules resistant to timing attacks, using constant-time style code.

In scenarios where DDIO and RDMA are enabled, strong security controls on a secured network are required as an attacker would need to have Read and Write RDMA access on a target machine using DDIO. In the complex scenarios where DDIO and RDMA are typically used, such as massively parallel computing clusters, the access an attacker would need would be uncommon.

Additional mitigations include the use of existing software modules resistant to constant-time style attacks, previously published best practices and guidelines for side channel resistance, as well as guidance for mitigating timing side channels against cryptographic implementations.

No comments available.

 

reply