Cisco Security Advisory
Row Hammer Privilege Escalation Vulnerability
Medium
Advisory ID:
cisco-sa-20150309-rowhammer
First Published:
2015 March 9 21:50 GMT
Last Updated:
2016 September 8 19:07 GMT
Version 1.4:
Workarounds:
No workarounds available
-
On March 9, 2015, new research was published that takes advantage of a flaw in double data rate type 3 (DDR3) synchronous dynamic random-access memory (SDRAM) to perform privilege escalation attacks on systems that contain the affected hardware. The flaw is known as Row Hammer. To attempt an attack, the attacker must execute a malicious binary on an affected system.
In addition, the research focused on consumer hardware that did not have a number of mitigations and memory protections that have been integrated into chipsets and memory modules used in Cisco server-class products. Of note in the paper is that the researchers were unable, in their testing, to exploit devices that use Error-Correcting Code (ECC) memory.
Cisco offers a limited number of products that allow an unprivileged user to load and execute binaries.
The research report is at the following link:
http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150309-rowhammer
-
Cisco offers a limited number of products that allow an unprivileged user to load and execute binaries. The products in the following list allow users to load and execute binaries and are currently under investigation. Each of the following products contains a number of hardware protections against Row Hammer events, including ECC memory modules. Based on the initial research report, there is no reason to believe any Cisco products would be affected. However, Cisco is testing against the following products to confirm.
Update (March 30th, 2015): The evaluation of Cisco devices has shown that this issue is not exploitable on devices that are equipped with ECC DDRAM and have the ECC checking options enabled in their BIOS. This is the default state on all evaluated products. All Cisco UCS computing devices have been found to be not affected by the Row Hammer Privilege Escalation attack as shipped from Cisco. Validation has been performed on all Cisco UCS devices utilizing Cisco qualified Dual-Inline Memory Modules. DIMM devices that have been installed in a UCS computing device that are not Cisco qualified parts may be affected.Vulnerable Products
No Cisco products are known to be affected by the Row Hammer Privilege Escalation Attack.Products Confirmed Not Vulnerable
Exploitation of this vulnerability requires an attacker to execute arbitrary code on the affected device. The following devices have been confirmed to not allow the local execution of arbitrary code by design:
- Devices running Cisco IOS Software
- Devices running Cisco IOS XE Software
- Devices running Cisco IOS XR Software
- Devices running Cisco ASA Software
- Cisco Web Security Appliances (WSA)
- Cisco Email Security Appliances (ESA)
- Cisco Nexus 2000 Series devices running Cisco NX-OS Software
- Cisco Nexus 4000 Series devices running Cisco NX-OS Software
- Cisco Nexus 5000 Series devices running Cisco NX-OS Software
- Cisco Nexus 6000 Series devices running Cisco NX-OS Software
- Cisco Nexus 7000 Series devices running Cisco NX-OS Software
- Cisco MDS 9000 Series devices running Cisco NX-OS Software
The following products have been evaluated and are not affected:- Cisco Nexus 3000 Series devices running Cisco NX-OS Software
- Cisco Nexus 9000 Series devices running Cisco NX-OS Software
- Cisco Unified Computing System B-Series Blade Servers
- Cisco Unified Computing System E-Series ISR Blade Servers
- Cisco Unified Computing System C-Series Rack Servers
No other Cisco products are currently known to be affected by this vulnerability.
-
Row Hammer DDR3 Privilege Escalation Vulnerability
On March 9, 2015, new research and findings related to a previously known issue discovered in the DDR3 memory specification were released. The new research takes advantage of a class of DDR3 memory limitations called Row Hammer. The Row Hammer issue was first recognized in the industry on a large scale in 2012 when high-performance computing was increasing demands on DDR3-based systems and triggering failures. The typical failure case at the time involved memory corruption and subsequent device crashes. Both memory manufacturers and chipset vendors began building mitigations for Row Hammer into their parts.
The research report is here:
http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
The latest research shows that these types of errors can be introduced in a predictable manner. A proof of concept that runs on the Linux operating system has been released that uses the predictability of these errors to modify the memory of affected devices from an unprivileged context. This capability may be used by an authenticated, local attacker who can execute an attacker-supplied binary to elevate the attacker's privileges to that of a superuser or root account.
Because the attacker must execute a binary to trigger this issue, only Cisco products that allow unprivileged local user access as well as the ability to execute a binary may be affected.
The research specifies that researchers were unable to demonstrate an impact on ECC-equipped products.
-
No direct workarounds or remediations are available to mitigate this vulnerability.
-
When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show Complete History...Revision 1.4 2015-March-30 Confirmed all Cisco UCS Devices as Not Vulnerable. Document State moved to Final. Revision 1.3 2015-March-17 Added product evaluation status update to the Affected Products section. Revision 1.2 2015-March-11 Updated Product Status.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.