RAMBleed: retrieve an RSA key in 34 hours
Introduced a new RAMBleed attack based on the Rowhammer method. Now, not only integrity, but also the confidentiality of user data is under attack.
Researchers demonstrated an attack on OpenSSH, during which they managed to extract a 2048-bit RSA key. According to them, OpenSSH was chosen as an example, and in a similar way, an attacker can read the physical memory of any other processes.
The RAMBleed attack is based on a Rowhammer error that occurs when you re-access strings in DRAM, which causes bits to be changed in adjacent strings, even if they were not accessible. Rowhammer abuse can be used to elevate privileges.
RAMBleed attack is aimed at stealing information. It is equally effective for reading any data stored in the physical memory of a computer. Since physical memory is shared between all processes in the system, this puts all processes at risk. In addition, the implementation of the attack does not require constant bit changes, which makes it more effective against the ECC memory used in servers. The change of bits is used by RAMBleed only as read channels, so that confidential information leaks regardless of whether the inverted bit has been fixed or not.
Researchers report that the attack cannot be completely prevented. You can reduce the risk and upgrade memory to DDR4 with line refresh (TRR) enabled. Although bit fluctuations caused by Rowhammer were demonstrated on the TRR, it is more difficult to do in practice. Manufacturers can help solve the problem by more thorough testing for faulty DIMMs. In addition, publicly documenting specific vendor-specific TRR implementations can contribute to a more efficient development process, as security researchers examine such implementations for vulnerabilities.
At the moment, according to the researchers, there is hardly any antivirus software that can fix RAMBleed. But it is also unlikely that exploitation of the vulnerability will often be encountered in real attacks. Although the researchers managed to demonstrate an attack on the server and the PC, and the Rowhammer attacks showed on both mobile devices and laptops, RAMBleed is unlikely to become an epidemic. Due to the need for physical access to memory blocks, the use of special equipment and enough time, such attacks are very difficult to implement.
RAMBleed is assigned CVE-2019-0174.