News Xeon and Other Intel CPUs Hit by NetCAT Security Vulnerability

[Admin]

Intel's server-grade processors suffer from a vulnerability dubbed NetCAT, due to issues with technologies primarily found in DDIO and RDMA.

Xeon and Other Intel CPUs Hit by NetCAT Security Vulnerability : Read more

 

[Metal Messiah.]

Thank heavens, AMD CPUs are safe for now.

 

[PC Tailor]

Thank heavens, AMD CPUs are safe for now.

You say that, they also have security flaws.

However I always take this with a bit of a pinch of salt, as ultimately, these flaws are being discovered by people being paid to find these flaws, and Intel still currently hold the mass market share, especially in commercial / business industry. So ultimately, its where you'd direct all of the funding and research of cyber security.

You'd also be directing a lot of that work into the working industry, which are still predominantly Intel.

I believe AMD will also have it's series of flaws, just there is less focus to find them. Not to say there is no focus, but less.

 

[Metal Messiah.]

Yeah, obviously I know AMD CPUs also have security flaws. I was just referring specifically to this NetCAT vulnerability.

 

[Mpablo87]

I am sure AMD is always perfect!

 

[Keviny Oliveira]

Intel fail security again lol.

https://imgur.com/a/myYDwUg

View: https://imgur.com/gallery/myYDwUg

 

[jimmysmitty]

You say that, they also have security flaws.

However I always take this with a bit of a pinch of salt, as ultimately, these flaws are being discovered by people being paid to find these flaws, and Intel still currently hold the mass market share, especially in commercial / business industry. So ultimately, its where you'd direct all of the funding and research of cyber security.

You'd also be directing a lot of that work into the working industry, which are still predominantly Intel.

I believe AMD will also have it's series of flaws, just there is less focus to find them. Not to say there is no focus, but less.

Agreed. Flaws are more often found in major market holders as they will target them first. It is like when they said "CMacs don't get viruses" yet there have been a few, especially in recent times. It just takes time for these to be found.

That said my favorite part is this:

limit direct access from untrusted networks

ANY IT admin would have a network designed to already do this. This is an issue that will only be seen by people who do not secure their networks properly.

 

[PC Tailor]

"CMacs don't get viruses" yet there have been a few, especially in recent times. It just takes time for these to be found.

What do you mean?! Macs DON'T get Viruses !

No, because If I was a hacker trying to steal information, I'd definitely NOT go for the OS that holds around 80% of the market share

Most of those security problems won't be aimed at the general home user anyway, if an advanced enough programmer wanted to do the research and exploit these, they wouldn't be desperate to get into Steve's from Liverpool home computer so they can look at his Ibiza photos.

 

[setx]

Do you really think that there is the same difference in interest in finding bugs in Intel to AMD CPUs as the difference in bugs found? I'm sure Intel wouldn't mind paying for flaws found in AMD and maybe even more than in Intel (no matter officially or not).

Also, why just talk about AMD? Is there less interest in finding bugs in ARM? Do they have less market share or their market segments are less interesting? No they aren't.

The truth is Intel on deserved 1'st place of all major CPU vendors.

 

[TJ Hooker]

Do you really think that there is the same difference in interest in finding bugs in Intel to AMD CPUs as the difference in bugs found? I'm sure Intel wouldn't mind paying for flaws found in AMD and maybe even more than in Intel (no matter officially or not).

Also, why just talk about AMD? Is there less interest in finding bugs in ARM? Do they have less market share or their market segments are less interesting? No they aren't.

Look at where ARM CPUs are used compared to x86 CPUs are used. What do you think is a more appealing target, cell phones or data centers? And Intel still has the vast majority of data centre market share.

Edit: Well this is embarrassing, as pointed out below I forgot about the huge embedded market for ARM.

 

[setx]

Look at where ARM CPUs are used compared to x86 CPUs are used. What do you think is a more appealing target, cell phones or data centers? And Intel still has the vast majority of data centre market share.

I think that all those embedded devices are way, way more appealing target than data centers. Because data centers will just roll out update next week and security hole is mitigated while majority of embedded devices won't have any updates until they are decommissioned several years later.

 

[TJ Hooker]

I think that all those embedded devices are way, way more appealing target than data centers. Because data centers will just roll out update next week and security hole is mitigated while majority of embedded devices won't have any updates until they are decommissioned several years later.

All or most of these side channel attacks seem to require you to already have malicious software running on the machine. For an embedded device that seems like it would be difficult (and if they succeed it's probably already game over at that point), but for cloud computing data centres a would-be hacker can simply rent a VM.

Edit: But yeah, I did somehow manage to forget about embedded systems when I thought about where ARM is used, derp...

 

[joeblowsmynose]

You say that, they also have security flaws.

However I always take this with a bit of a pinch of salt, as ultimately, these flaws are being discovered by people being paid to find these flaws, and Intel still currently hold the mass market share, especially in commercial / business industry. So ultimately, its where you'd direct all of the funding and research of cyber security.

You'd also be directing a lot of that work into the working industry, which are still predominantly Intel.

I believe AMD will also have it's series of flaws, just there is less focus to find them. Not to say there is no focus, but less.

But at the same time, its not like nobody has been trying to target AMD specifically to find flaws in their architecture -- do you not recall the shortsellers, "Viceroy" and their AMD scandal with that Israeli "IT" company? Millions and millions of dollars were on the line there, and I'm pretty sure with that potential purse, they didn't do a half-assed job in trying to find vulnerabilities. (the issue for them was that the risk of the vulnerability was relatively low and proper mitigations were very easily and quickly applied - well that and everyone started to see the scam for what it was).

You are right in sentiment, but I don't think the disparity is too terribly major. I am fairly confident that the people finding these flaws are testing for them on both AMD and Intel -- Intel certainly would have interest/benefit and resources to make it so.

That said, I also believe that AMD is pretty quiet on Intel vulnerabilities, because if they start marketing for that, it could easily turn around and bite them at some point in the future.

 

[Keviny Oliveira]

No, because If I was a hacker trying to steal information, I'd definitely NOT go for the OS that holds around 80% of the market share

In fact, no, Windows has more vulnerabilities because it is important to the anti-virus market, one example is Android, you will only get a virus (although Google services works like Spyware) if you download something outside your store (I mean virus appears in the Play Store, as it already had in the Ubuntu Snap Store there will always be vulnerability and someone wanting to exploit it after all is part of life with the technology level today).

 

[PC Tailor]

In fact, no, Windows has more vulnerabilities because it is important to the anti-virus market, one example is Android, you will only get a virus (although Google services works like Spyware) if you download something outside your store (I mean virus appears in the Play Store, as it already had in the Ubuntu Snap Store there will always be vulnerability and someone wanting to exploit it after all is part of life with the technology level today).

I wasn't referring to vulnerabilities, it's logical that if you are attempting to infiltrate a market, you will naturally aim for the one that holds a huge market share, where the most common people are using it, easy information, plenty of stupid people using the software without adequate protection, easy picking

 

[InvalidError]

There is a simple way to avoid keystroke inference by timing analysis: set your terminal to line mode so the would-be attackers can't measure individual keypresses.

 

[bit_user]

Most of those security problems won't be aimed at the general home user anyway, if an advanced enough programmer wanted to do the research and exploit these, they wouldn't be desperate to get into Steve's from Liverpool home computer so they can look at his Ibiza photos.

What about installing a keylogger, so you can steal his online banking password and empty out his bank account? Or get enough info to steal his identity and take out a big loan in his name? Or encrypt his hard drive and charge him $1k to unlock it? After succeeding at one of those, a few times, poorly-secured home users start to become much more attractive targets.

While you're not as big a target as a multinational corporation, the average home user also isn't nearly as well secured. Don't be complacent.

 

[bit_user]

All or most of these side channel attacks seem to require you to already have malicious software running on the machine.

Yeah, side-channel attacks aren't the main vulnerability for embedded devices without web browsers or some other way of executing remote code.

 

[bit_user]

I am fairly confident that the people finding these flaws are testing for them on both AMD and Intel -- Intel certainly would have interest/benefit and resources to make it so.

That said, I also believe that AMD is pretty quiet on Intel vulnerabilities, because if they start marketing for that, it could easily turn around and bite them at some point in the future.

When you are one step ahead of the crowd, they see you as a genius. Two steps ahead and you are deemed a crackpot.

You, sir, are a crackpot.

 

[bit_user]

There is a simple way to avoid keystroke inference by timing analysis: set your terminal to line mode

Also, enable XON/XOFF flow control and be sure to use ZModem for your file transfers.
; )

 

[joeblowsmynose]

You, sir, are a crackpot.

Why thank you sir.

 

[Keviny Oliveira]

it's logical that if you are attempting to infiltrate a market, you will naturally aim for the one that holds a huge market share,

Yes, but for this chance to exist, it is necessary that the product or software has these "doors" open, after all hacking is not easy but if the product or software facilitates why not exploit 😉😉😉