CVE-2015-0565
📋 TL;DR
CVE-2015-0565 is a hardware-level vulnerability in DRAM memory that allows attackers to flip bits in adjacent memory rows through rapid memory access patterns (rowhammer). This enables privilege escalation and arbitrary code execution on affected systems. It affects systems with vulnerable DRAM chips running software that permits CLFLUSH instruction execution.
💻 Affected Systems
- Systems with vulnerable DRAM chips
- NaCl (Native Client) sandbox environments
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including kernel privilege escalation, arbitrary code execution, and persistence across reboots via physical memory manipulation.
Likely Case
Local privilege escalation allowing attackers to gain root/admin access from a lower-privileged user account.
If Mitigated
Limited impact with proper memory isolation, ECC memory, or targeted row refresh mitigations in place.
🎯 Exploit Status
Exploitation requires local access and detailed knowledge of memory layout. Multiple proof-of-concept exploits exist demonstrating privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by vendor - hardware and software mitigations implemented since 2015
Vendor Advisory: Multiple vendor advisories exist for hardware manufacturers and OS vendors
Restart Required: Yes
Instructions:
1. Update BIOS/UEFI firmware from hardware vendor
2. Apply OS patches that implement row refresh mitigations
3. For NaCl environments, update to versions that restrict CLFLUSH instruction
4. Consider hardware replacement for systems with vulnerable DRAM
🔧 Temporary Workarounds
Disable CLFLUSH instruction
linuxPrevent execution of CLFLUSH instruction through kernel parameters or sandbox restrictions
For Linux: Add 'noexec' or specific kernel parameters if supported by your distribution
Enable Target Row Refresh
allConfigure BIOS/UEFI to enable TRR if supported by hardware
🧯 If You Can't Patch
- Isolate vulnerable systems from untrusted users and applications
- Use ECC memory if available (though not all ECC implementations fully mitigate rowhammer)
🔍 How to Verify
Check if Vulnerable:
Run rowhammer test tools like Google's rowhammer-test or check DRAM manufacturer specificationsCheck Version:
Check BIOS/UEFI version and DRAM specifications via dmidecode (Linux) or system information toolsVerify Fix Applied:
Test with rowhammer proof-of-concept tools after applying mitigations📡 Detection & Monitoring
Log Indicators:
- Unusual memory access patterns
- Multiple CLFLUSH instructions in short timeframes
- Unexpected privilege escalation events
Network Indicators:
- None (local exploitation only)
SIEM Query:
Search for process execution patterns showing rapid memory access or privilege escalation from unexpected sources🔗 References
- https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
- https://www.exploit-db.com/exploits/36310/
- https://www.exploit-db.com/exploits/36311/
- https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
- https://www.exploit-db.com/exploits/36310/
- https://www.exploit-db.com/exploits/36311/
