CVE-2021-42114 Overview
CVE-2021-42114 is a hardware vulnerability affecting modern DRAM devices (PC-DDR4, LPDDR4X) where the internal Target Row Refresh (TRR) mitigation designed to protect against Rowhammer attacks can be bypassed. Researchers developed a novel fuzzing tool called Blacksmith that generates non-uniform Rowhammer access patterns with varying frequencies, phases, and amplitudes, successfully triggering bit flips on DRAM modules that were previously believed to be Rowhammer-resistant.
This vulnerability represents a significant advancement in Rowhammer attack techniques, demonstrating that hardware-based mitigations implemented by DRAM manufacturers are insufficient to prevent memory corruption attacks. The Blacksmith fuzzer was able to trigger bit flips on all 40 PC-DDR4 DRAM devices tested, spanning products from all three major DRAM manufacturers: Samsung, SK Hynix, and Micron.
Critical Impact
Successful exploitation enables privilege escalation attacks against the kernel, manipulation of privileged binaries like sudo, and bit flips in cryptographic keys (RSA-2048/SSH keys) potentially allowing cross-tenant virtual machine access in cloud environments.
Affected Products
- Samsung DDR4 SDRAM and LPDDR4 devices
- Micron DDR4 SDRAM and LPDDR4 devices
- SK Hynix DDR4 SDRAM and LPDDR4 devices
Discovery Timeline
- November 16, 2021 - CVE-2021-42114 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-42114
Vulnerability Analysis
The Rowhammer attack exploits a fundamental physical phenomenon in modern DRAM where repeatedly accessing (hammering) specific memory rows causes electrical interference that can flip bits in adjacent rows. DRAM manufacturers implemented Target Row Refresh (TRR) as an in-DRAM mitigation that attempts to detect and refresh victim rows before bit flips occur.
However, CVE-2021-42114 demonstrates that TRR mitigations can be bypassed using carefully crafted non-uniform access patterns. Traditional Rowhammer attacks used uniform, predictable patterns that TRR was designed to detect. The Blacksmith approach uses variable frequencies, phases, and amplitudes in memory access patterns, evading the detection heuristics employed by TRR implementations.
The attack operates at an adjacent network attack vector level with high complexity, requiring no privileges or user interaction. Successful exploitation can impact confidentiality, integrity, and availability across security boundaries, making it particularly dangerous in multi-tenant environments like cloud infrastructure.
Root Cause
The root cause lies in improper input validation (CWE-20) at the hardware level within DRAM TRR implementations. TRR mitigations were designed based on assumptions about Rowhammer access patterns that proved to be incomplete. The TRR detection mechanisms rely on identifying specific row access patterns, but the Blacksmith fuzzer discovered that non-uniform patterns with varying temporal characteristics can evade these detection algorithms while still inducing the electrical interference necessary to cause bit flips.
Attack Vector
The attack requires adjacent network access, meaning the attacker must be on the same physical or logical network segment as the target. In practical terms, this encompasses scenarios such as:
- Co-located virtual machines in cloud environments
- Containers sharing the same physical host
- Compromised processes on the same system attempting privilege escalation
The attacker executes carefully crafted memory access patterns that bypass TRR detection. By varying the frequency (how often rows are accessed), phase (timing offset between accesses), and amplitude (number of accesses per burst), the Blacksmith fuzzer identifies patterns specific to the target DRAM module that successfully induce bit flips.
Once bit flips are achieved, the attacker can manipulate security-sensitive data structures in memory, such as page table entries for privilege escalation, authentication credentials, or cryptographic key material. The research demonstrated practical attacks including modifying the sudo binary in memory and corrupting RSA-2048 keys to gain unauthorized access.
Detection Methods for CVE-2021-42114
Indicators of Compromise
- Unusual patterns of memory access with high row activation rates detected through performance counters
- Unexplained bit errors or ECC corrections logged by memory controllers
- Anomalous process behavior showing intensive, repetitive memory access patterns
- Unexpected privilege escalation events without corresponding authentication activity
Detection Strategies
- Monitor hardware performance counters for elevated DRAM row activation rates using tools like perf on Linux systems
- Implement memory integrity monitoring to detect unexpected modifications to kernel structures and security-critical binaries
- Deploy ECC memory and monitor correction logs for patterns indicative of Rowhammer-style attacks
- Use hypervisor-level monitoring in virtualized environments to detect suspicious memory access patterns from guest VMs
Monitoring Recommendations
- Enable and regularly review ECC memory error logs on systems with ECC-capable memory
- Implement behavioral monitoring for processes exhibiting memory-intensive patterns characteristic of Rowhammer attacks
- Deploy memory forensics capabilities to detect unauthorized modifications to page tables and kernel structures
- Monitor for unexpected cryptographic key changes or authentication failures that could indicate key corruption
How to Mitigate CVE-2021-42114
Immediate Actions Required
- Assess exposure by identifying systems using affected DDR4 and LPDDR4 memory from Samsung, SK Hynix, or Micron manufactured before or around July 2020
- Deploy ECC memory where possible, as it can detect and correct single-bit errors, raising the bar for successful exploitation
- Implement memory isolation techniques in virtualized and containerized environments to limit cross-tenant attack surfaces
- Review and apply firmware updates from system vendors that may include enhanced TRR implementations
Patch Information
As this is a hardware vulnerability in DRAM devices, there is no direct software patch available. Mitigation relies on a combination of hardware upgrades, firmware updates, and software-based defenses. DRAM manufacturers have been working on improved TRR implementations for newer memory generations, but existing deployed hardware remains vulnerable.
For detailed technical information, consult the ETH Zurich Blacksmith Research page and the Blacksmith research paper. The Blacksmith fuzzer source code is available for security researchers to test their own systems.
Workarounds
- Deploy memory partitioning and isolation mechanisms to prevent untrusted code from accessing memory regions adjacent to sensitive data
- Use DRAM with ECC support and enable error correction to mitigate the impact of successful bit flips
- In cloud environments, implement enhanced VM isolation and consider dedicated hardware for highly sensitive workloads
- Apply operating system hardening measures such as kernel address space layout randomization (KASLR) to make exploitation more difficult even if bit flips occur
# Check for ECC memory support on Linux systems
sudo dmidecode -t memory | grep -i "error correction"
# Monitor memory errors via mcelog (if available)
sudo mcelog --client
# Check for corrected memory errors in kernel logs
dmesg | grep -i "memory" | grep -i "error\|corrected\|ecc"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
