RAMBleed Exploit Inflicts Rowhammer-Style Attack On Private Data From PC Memory

PC Memory
Sometimes it feels as though nary a day goes by without someone sounding the alarm on a new security vulnerability. More recently, there has been a lot of hoopla over side-channel exploits, such as Spectre and Meltdown, and various other variants. Here is another one to add to your mental catalog of exploits—RAMBleed.

A team of researchers has given the name RAMBleed to yet another new side-channel attack based on Rowhammer, which itself is a set of vulnerabilities that allows unprivileged attackers to exploit design flaws in DRAM and memory cards. Around this same time last year, a Rowhammer-style exploit called RAMpage reared its ugly head on Android phones.

Now security researchers from the University of Michigan, Graz University of Technology, and University of Adelaide are talking about RAMBleed. In short, RAMBleed makes it possible for an attacker to read the contents of DRAM on a Windows PC, and do so without directly accessing the memory.

"Previous attacks exploited the Rowhammer effect to write (or flip) bits in the victim's memory. RAMBleed is different in that it uses Rowhammer for reading data stored inside the computer's physical memory. As the physical memory is shared among all process in the system, this puts all processes at risk," the researchers explain.

The researchers say that RAMBleed can potentially read any data stored in memory, though in practice, what can be read depends on the victim program's memory access programs. As a proof-of-concept, the researchers leveraged RAMBleed to read an OpenSSH 7.9 RSA key.

While this sounds frightening, the good news is attackers are not able to leverage RAMBleed remotely—it is a local attack. It is being tracked under advisory CVE-2019-0174 and has been assigned a Common Vulnerability Scoring System (CVSS) rating of 3.8 out of 10. Researchers also say it is "unlikely" that RAMBleed has ever been exploited in the wild up to this point.
Show comments blog comments powered by Disqus