A group of Dutch security experts has demonstrated a modified Rowhammer attack against cloud Linux virtual machines. The intrusion was tested on two different distributions and can cause severe consequences.
All Your Linux Virtual Machines Belong to Us
The computer experts employ a Flip Feng Shui (FFS) method that relies on the well-known Rowhammer DRAM exploit. This induces memory modifications in the virtual machine. Criminal users can utilize this type of attack by renting out a virtual server on the victim host. Successful attempts have demonstrated that the hypervisor or the virtual machine itself shows no indications of the malicious modification to the user or the administrator. According to the original Rowhammer paper more than 85% of DDR3 modules are vulnerable to Rowhammer.
The security team has made attacks against Debian and Ubuntu virtual machines. In one scenario they downloaded a malware download posing as a software update using the built-in package management software utility. Another type of attack involved unauthorized access to the virtual machine by corrupting the OpenSSH public keys which are used in user authentication.
Both apt-get and OpenSSH are integral to the Gnu/Linux systems and showcase serious security issues.
Solutions to this problem that are available to system administrators include the disabling of memory deduplication in the settings of the virtual machine hypervisor or switching to the more efficient zero-page deduplication option.
The research team has disclosed all information to the developers of OpenSSH, GnuPG, VM vendors (Oracle, Red Hat, Xen and VmWare) and both the Ubuntu and Debian security team. GnuPG has already introduced updates to resolve the issue on their part.
It is not known how many servers are vulnerable to this type of attack as each cloud hosting service sets up the virtual machine hypervisors individually. As the relevant development teams are already alerted, security patches are expected to be ready soon rendering this technique obsolete.