RAMBleed: remove the RSA-key in 34 hours

A new RAMBleed attack based on the Rowhammer method has been introduced. Now, not only integrity, but also user data confidentiality is at stake.

The researchers demonstrated an attack on OpenSSH, during which they were able to extract a 2048-bit RSA key. As they claim, OpenSSH was chosen as an example and, similarly, an attacker could read the physical memory of any other processes.

At the heart of the RAMBleed attack is a Rowhammer error that occurs when the rows are re-accessed in DRAM, which leads to a change in the bits in the adjacent rows, even if they were not accessed. Rowhammer abuse can be used to elevate privileges.
')
RAMBleed attack is aimed at stealing information. It is equally effective for reading any data stored in the physical memory of a computer. Since physical memory is shared among all processes in the system, it puts all processes at risk. In addition, the implementation of the attack does not require constant changes of bits, which makes it more effective against the ECC memory used in the servers. Changing the bits is used RAMBleed only as read channels, so that confidential information leaks regardless of whether the inverted bit has been corrected or not.

Researchers report that the attack cannot be completely prevented. You can reduce the risk and upgrade the memory to DDR4 with row update (TRR) enabled. Although bit fluctuations caused by Rowhammer were demonstrated at TRR, in practice this is more difficult to do. Manufacturers can help solve the problem by more thorough testing for faulty DIMM modules. In addition, publicly documenting specific implementations of TRRs developed by a supplier can contribute to a more efficient development process, since information security researchers test such implementations for vulnerabilities.

At the moment, according to researchers, there is hardly any antivirus software that can fix RAMBleed. But it is also unlikely that the exploitation of a vulnerability will often occur in real attacks. Although the researchers were able to demonstrate an attack on the server and PC, and the Rowhammer attacks were demonstrated both for mobile devices and laptops, RAMBleed is unlikely to become an epidemic. Because of the need for physical access to the memory blocks, the use of special equipment and enough time, such attacks are very difficult to implement.

RAMBleed is assigned to CVE-2019-0174.