Google Project Zero reported recently that they have created working local privilege escalation exploit for "Rowhammer" problem.
Original problem was described by Yoongu Kim et al’s paper “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”.
“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. The exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
All x86/x86_64 machines with modern DRAM chips running any kernel versions might be affected by the problem. There is no known list of vulnerable DRAM chips. One can test its own machine using rawhammer-test tool.
Note, that it might take dozens of minutes/several hours for test to find the problem. Run it with caution on production machines. Also note, that a negative result (an absence of bit flips) on a given machine does not definitively mean that it is not possible for rowhammer to cause bit flips on that machine.
Working exploit allows local user to gain root privileges on the machine. Theoretically, it is possible to use the same technique to escape from CT or VM and gain full control over host machine.
There is no software only solution to this problem. Possible mitigations include:
- using ECC memory. While ECC memory doesn't provide 100% protectiona gainst 'Rawhammer' attack, it reduces chances of exploit to work by correcting 1-bit errors and halting machine in case of 2-bit errors.
- BIOS update to increase memory refresh rate. Increasing memory refresh rate reduces chances of exploit to work. Check with your BIOS vendor regrading updates.