CVE-2020-10255 Overview
CVE-2020-10255, also known as TRRespass, is a critical hardware vulnerability affecting modern DRAM chips (DDR4 and LPDDR4 manufactured after 2015). This vulnerability exposes a fundamental weakness in the deployment of Target Row Refresh (TRR), an internal mitigation mechanism designed to protect against RowHammer attacks. Despite DRAM vendors marketing their chips as "RowHammer-free," researchers demonstrated that attackers can bypass TRR protections using a technique called Many-sided RowHammer, enabling bit flips in memory that can lead to severe security compromises.
Critical Impact
Attackers can exploit this hardware vulnerability to conduct privilege-escalation attacks against the kernel and Sudo binary, as well as achieve cross-tenant virtual-machine access by corrupting RSA keys, effectively bypassing memory isolation guarantees.
Affected Products
- Micron DDR4 SDRAM
- Micron LPDDR4
- Samsung DDR4
- Samsung LPDDR4
- SK Hynix DDR4 SDRAM
- SK Hynix LPDDR4
Discovery Timeline
- 2020-03-10 - CVE-2020-10255 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-10255
Vulnerability Analysis
TRRespass represents a significant advancement in RowHammer attack techniques that bypasses the Target Row Refresh (TRR) mitigation deployed in modern DRAM chips. The original RowHammer vulnerability exploits the physical phenomenon where rapidly accessing (hammering) a row of memory cells can cause bit flips in adjacent rows due to electrical interference. DRAM manufacturers implemented TRR as a countermeasure that monitors access patterns and preemptively refreshes rows that appear to be under attack.
The TRRespass research demonstrates that TRR implementations are fundamentally flawed because they cannot track all possible aggressor rows simultaneously. By using "many-sided" hammering patterns—attacking a victim row from multiple aggressor rows—attackers can evade TRR detection and still induce bit flips. The attack does not require any software vulnerabilities; it exploits the physical properties of DRAM cells combined with insufficient hardware mitigations.
The vulnerability enables several attack scenarios including kernel privilege escalation, compromising security-sensitive binaries like Sudo, and cross-tenant attacks in virtualized cloud environments through RSA key corruption. The network attack vector is applicable in cloud scenarios where an attacker in one virtual machine can potentially affect memory used by other tenants.
Root Cause
The root cause lies in the improper input validation (CWE-20) of memory access patterns by TRR implementations. DRAM manufacturers designed TRR to track suspicious access patterns and refresh potentially affected rows, but the implementations have limited capacity for tracking aggressor rows. The TRR mechanism typically monitors only a small number of frequently-accessed rows, assuming attackers would use traditional double-sided RowHammer techniques.
The Many-sided RowHammer attack exploits this limitation by distributing the hammering across many rows, ensuring that no single aggressor row accumulates enough accesses to trigger TRR protection. This means the tracking mechanism fails to identify the attack pattern, allowing bit flips to occur despite the mitigation being active. Additionally, tracking DRAM supply-chain issues is challenging because a single product model from a single vendor may use DRAM chips from different manufacturers.
Attack Vector
The attack requires the attacker to craft specific memory access patterns that bypass TRR detection thresholds. In a many-sided RowHammer attack, the attacker identifies multiple aggressor rows surrounding a target victim row and distributes memory accesses across these aggressors in patterns that evade TRR sampling.
The attack can be executed in several contexts: through JavaScript in web browsers for local attacks, through native code execution in shared hosting environments, or through virtual machine memory access in cloud environments. The attacker manipulates memory access patterns to induce bit flips in critical data structures such as page tables (for privilege escalation), cryptographic keys (for authentication bypass), or security-sensitive application data.
For detailed technical implementation, refer to the VUSec Research Paper and the TRRespass GitHub Repository.
Detection Methods for CVE-2020-10255
Indicators of Compromise
- Unusual memory access patterns with high-frequency reads to specific memory regions without corresponding writes
- Abnormal cache flush operations (CLFLUSH instructions) that bypass CPU caches to directly access DRAM
- Memory-related errors or unexpected bit flips detected in ECC-enabled systems
- Unexpected privilege escalation events or authentication failures following intensive memory operations
Detection Strategies
- Deploy hardware performance counters to monitor for anomalous memory access patterns characteristic of RowHammer attacks
- Implement kernel-level monitoring for excessive cache line flush operations which are required for effective hammering
- Utilize ECC (Error-Correcting Code) memory to detect and potentially correct single-bit errors, though this is not a complete mitigation
- Monitor for suspicious patterns of memory allocation that could indicate attempts to achieve specific physical memory layouts
Monitoring Recommendations
- Enable and monitor ECC memory error logging to identify potential exploitation attempts
- Implement memory access pattern analysis in virtualized environments to detect cross-VM attack attempts
- Deploy endpoint detection solutions capable of identifying RowHammer-related behavioral patterns
- Monitor system logs for kernel panic events or unexpected memory corruption errors
How to Mitigate CVE-2020-10255
Immediate Actions Required
- Evaluate current DRAM inventory and identify systems using affected DDR4 or LPDDR4 modules from SK Hynix, Micron, or Samsung
- Enable ECC memory where available to detect and correct single-bit errors (note: this reduces but does not eliminate risk)
- Implement memory isolation techniques in virtualized environments to increase the difficulty of cross-tenant attacks
- Consider deploying software-based RowHammer mitigations available in modern operating systems
Patch Information
As a hardware vulnerability, CVE-2020-10255 cannot be fully remediated through software patches. DRAM manufacturers have been made aware of the TRR bypass techniques, and newer generations of memory may include improved mitigations. Organizations should consult with their hardware vendors regarding updated DRAM modules with enhanced TRR implementations.
Operating system vendors have implemented various software mitigations including memory isolation techniques and restricted access to performance monitoring features that could aid attackers. Organizations should ensure their systems are running the latest kernel versions that include these mitigations.
Workarounds
- Deploy ECC memory to enable detection of bit flips, providing an additional layer of defense against successful exploitation
- Implement strict memory isolation policies in cloud and virtualized environments to limit cross-tenant attack surfaces
- Disable JavaScript JIT compilation in high-security environments to prevent browser-based RowHammer attacks
- Increase DRAM refresh rates where configurable to reduce the window for successful bit flip induction
For additional technical details and research findings, refer to the VUSec TRRespass Project Overview and coverage from The Hacker News.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
