CVE-2020-10255
📋 TL;DR
CVE-2020-10255 is a hardware vulnerability in DDR4 and LPDDR4 DRAM chips manufactured after 2015 that bypasses Target Row Refresh (TRR) mitigations against RowHammer attacks. Attackers can trigger bit flips in memory to escalate privileges, compromise cryptographic keys, and potentially achieve cross-VM access. This affects systems using vulnerable DRAM chips from SK Hynix, Micron, and Samsung.
💻 Affected Systems
- Systems with DDR4/LPDDR4 DRAM chips from SK Hynix, Micron, Samsung manufactured after 2015
📦 What is this software?
Ddr4 by Samsung
Ddr4 Sdram by Skhynix
Lpddr4 by Micron
Lpddr4 by Samsung
Lpddr4 by Skhynix
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise including kernel privilege escalation, Sudo binary takeover, cross-tenant VM escape, and RSA key corruption leading to complete data breach.
Likely Case
Privilege escalation attacks against kernel or Sudo, potentially leading to unauthorized administrative access on affected systems.
If Mitigated
Limited impact if proper memory isolation and access controls are implemented, though hardware vulnerability remains.
🎯 Exploit Status
Exploitation requires physical or virtual memory access and specific access patterns to trigger bit flips. The TRRespass tool demonstrates proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: N/A
Restart Required: No
Instructions:
This is a hardware vulnerability with no direct software patch. Contact hardware vendors for potential BIOS/firmware updates that may implement additional mitigations.
🔧 Temporary Workarounds
Enable ECC Memory
allUse Error-Correcting Code (ECC) memory to detect and correct bit flips caused by RowHammer attacks.
Hardware configuration required - no command
Memory Isolation Controls
allImplement strict memory isolation between processes and VMs to limit attack surface.
System-specific configuration required
🧯 If You Can't Patch
- Segment critical systems from untrusted users/VMs
- Implement strict access controls and monitoring for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check DRAM manufacturer and model via dmidecode or similar hardware inventory tools. Run TRRespass tool from VUSec to test susceptibility.Check Version:
dmidecode --type memory | grep -i manufacturerVerify Fix Applied:
No complete fix exists. Verify ECC memory is enabled and functioning via system logs or hardware monitoring tools.📡 Detection & Monitoring
Log Indicators:
- Memory error corrections (ECC events)
- Unexpected privilege escalation attempts
- Kernel panic or system instability
Network Indicators:
- N/A - local hardware attack
SIEM Query:
Search for: (EventID: 1 OR EventID: 41) AND (Memory OR ECC) OR (sudo OR privilege escalation anomalies)🔗 References
- https://download.vusec.net/papers/trrespass_sp20.pdf
- https://github.com/vusec/trrespass
- https://thehackernews.com/2020/03/rowhammer-vulnerability-ddr4-dram.html
- https://twitter.com/antumbral/status/1237425959407513600
- https://twitter.com/vu5ec/status/1237399112590467072
- https://www.vusec.net/projects/trrespass/
- https://download.vusec.net/papers/trrespass_sp20.pdf
- https://github.com/vusec/trrespass
- https://thehackernews.com/2020/03/rowhammer-vulnerability-ddr4-dram.html
- https://twitter.com/antumbral/status/1237425959407513600
- https://twitter.com/vu5ec/status/1237399112590467072
- https://www.vusec.net/projects/trrespass/
