CVE-2020-10255

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Modern DRAM chips (DDR4 and LPDDR4 after 2015) are affected by a vulnerability in deployment of internal mitigations against RowHammer attacks known as Target Row Refresh (TRR), aka the TRRespass issue. To exploit this vulnerability, the attacker needs to create certain access patterns to trigger bit flips on affected memory modules, aka a Many-sided RowHammer attack. This means that, even when chips advertised as RowHammer-free are used, attackers may still be able to conduct privilege-escalation attacks against the kernel, conduct privilege-escalation attacks against the Sudo binary, and achieve cross-tenant virtual-machine access by corrupting RSA keys. The issue affects chips produced by SK Hynix, Micron, and Samsung. NOTE: tracking DRAM supply-chain issues is not straightforward because a single product model from a single vendor may use DRAM chips from different manufacturers.

Los chips DRAM modernos (DDR4 y LPDDR4 después de 2015) están afectados por una vulnerabilidad en la implementación de mitigaciones internas contra los ataques de tipo RowHammer conocido como Target Row Refresh (TRR), también se conoce como el problema TRRespass. Para explotar esta vulnerabilidad, el atacante requiere crear determinados patrones de acceso para activar cambios de bits sobre los módulos de memoria afectados, también se conoce como un ataque de tipo RowHammer de Muchos Flancos. Esto significa que, incluso cuando son usados chips anunciados como RowHammer-free, los atacantes aún pueden ser capaces de dirigir ataques de escalada de privilegios contra el kernel, conducir ataques de escalada de privilegios contra el binario Sudo y lograr el acceso a máquinas virtuales entre inquilinos al corromper claves RSA. El problema afecta a los chips producidos por SK Hynix, Micron y Samsung. NOTA: el seguimiento de los problemas de la cadena de suministro de DRAM no es sencillo porque un solo modelo de producto de un único proveedor puede usar chips DRAM de diferentes fabricantes.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-03-09 CVE Reserved
2020-03-10 CVE Published
2024-08-04 CVE Updated
2024-10-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (6)

URL	Tag	Source
https://download.vusec.net/papers/trrespass_sp20.pdf	Third Party Advisory
https://github.com/vusec/trrespass	Product
https://thehackernews.com/2020/03/rowhammer-vulnerability-ddr4-dram.html	Third Party Advisory
https://twitter.com/antumbral/status/1237425959407513600	Third Party Advisory
https://twitter.com/vu5ec/status/1237399112590467072	Third Party Advisory
https://www.vusec.net/projects/trrespass	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Micron Search vendor "Micron"		Ddr4 Sdram Search vendor "Micron" for product "Ddr4 Sdram"				-		-		Affected
Micron Search vendor "Micron"		Lpddr4 Search vendor "Micron" for product "Lpddr4"				-		-		Affected
Samsung Search vendor "Samsung"		Ddr4 Search vendor "Samsung" for product "Ddr4"				-		-		Affected
Samsung Search vendor "Samsung"		Lpddr4 Search vendor "Samsung" for product "Lpddr4"				-		-		Affected
Skhynix Search vendor "Skhynix"		Ddr4 Sdram Search vendor "Skhynix" for product "Ddr4 Sdram"				-		-		Affected
Skhynix Search vendor "Skhynix"		Lpddr4 Search vendor "Skhynix" for product "Lpddr4"				-		-		Affected