CVE-2019-11184

A flaw has been discovered in which an attacker can infer SSH keystrokes when after a victim connects to a compromised host. The attacker must compromise a server that the victim is connecting to and be able to groom the CPU cache on the system prior to or while a connection is in progress. The attack uses RDMA to groom the cache then measures the response time of cache access to aid in statistical likelihood of an educated guess of keystroke input. This flaw has been branded “NetCat”.

Mitigation

This particular attack requires the compromised server to use RDMA and a Intel Xeon CPU. The Intel Xeon CPU family has a specific feature (DDIO) that allows RDMA to use CPU internal cache to improve RDMA performance. The client connecting to the compromised server does not need to use RDMA or DDIO.

- This attack is similar to connecting to any other compromised/untrusted host; any untrusted system could already log SSH input.
- RDMA is designed to not require operating system interaction, its interactions are between the network card and system hardware. If this functionality is compromised the operating system is unable to affect changes here.

While this attack vector does seem unlikely, Red Hat recommends following Intel's instructions. Connecting to a compromised host is not recommended. Red Hat products can 'run' on the affected system but the system design is not something that is solvable in Red Hat products.