CVE-2015-0565
published 2020-02-25CVE-2015-0565: NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
13.25%
95.9th percentile
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nacl | — | — |
| native_client | — | — | |
| nacl | nacl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect use of the CLFLUSH instruction within NaCl sandbox context; its presence in NaCl x86-64 validator-passed code is the core enabler of this rowhammer exploit. ↗
- →Monitor for NaCl dyncode_create() syscall activity, which is the interface used by the exploit to load dynamically injected code with bit flips. ↗
- →Flag NaCl sandbox escapes where read-only code regions are modified, producing instruction sequences that fail the NaCl x86-64 validator post-execution. ↗
- ·The NaCl rowhammer exploit (CVE-2015-0565) only works on machines physically susceptible to the DRAM rowhammer problem; patched/newer NaCl versions disallow CLFLUSH in the validator, neutralizing this attack vector. ↗
- ·The Linux kernel rowhammer PoC (EDB-36310) requires /dev/mem to be enabled (CONFIG_STRICT_DEVMEM disabled) for its test mode; production exploitation targets PTE bit flips without this requirement. ↗
- ·Debian tracking shows CVE-2015-0565 remains open across multiple releases (bookworm, bullseye, forky, sid, trixie), meaning NaCl packages in these distributions may still permit CLFLUSH. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2015-0565: nacl - NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
vendor_debian·2015·CVSS 10.0
CVE-2015-0565 [CRITICAL] CVE-2015-0565: nacl - NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
GHSA-w4v4-69x7-832c: NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible
ghsa_unreviewed·2022-05-24
CVE-2015-0565 [HIGH] GHSA-w4v4-69x7-832c: NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
OSV
CVE-2015-0565: NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible
osv·2020-02-25·CVSS 10.0
CVE-2015-0565 [CRITICAL] CVE-2015-0565: NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible
NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.
Project0
Exploiting the DRAM rowhammer bug to gain kernel privileges Rowhammer blog post (draft) - Project Zero
project_zero·2015-03-01
CVE-2015-0565 Exploiting the DRAM rowhammer bug to gain kernel privileges Rowhammer blog post (draft) - Project Zero
Rowhammer blog post (draft)
Posted by Mark Seaborn, sandbox builder and breaker, with contributions by Thomas Dullien, reverse engineer
[This guest post continues Project Zero’s practice of promoting excellence in security research on the Project Zero blog]
Overview
“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit
No detection rules found.
Exploit-DB
Rowhammer - NaCl Sandbox Escape
exploitdb·2015-03-09
CVE-2015-3693 Rowhammer - NaCl Sandbox Escape
Rowhammer - NaCl Sandbox Escape
---
Sources:
http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://code.google.com/p/google-security-research/issues/detail?id=284
Full PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36311.tar.gz
This is a proof-of-concept exploit that is able to escape from Native
Client's x86-64 sandbox on machines that are susceptible to the DRAM
"rowhammer" problem. It works by inducing a bit flip in read-only
code so that the code is no longer safe, producing instruction
sequences that wouldn't pass NaCl's x86-64 validator.
Note that this uses the CLFLUSH instruction, so it doesn't work in
newer versions of NaCl where this instruction is disallowed by the
validator.
There are two way
Exploit-DB
Linux Kernel (x86-64) - Rowhammer Privilege Escalation
exploitdb·2015-03-09
CVE-2015-0565 Linux Kernel (x86-64) - Rowhammer Privilege Escalation
Linux Kernel (x86-64) - Rowhammer Privilege Escalation
---
Sources:
http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://code.google.com/p/google-security-research/issues/detail?id=283
Full PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36310.tar.gz
This is a proof-of-concept exploit that is able to gain kernel
privileges on machines that are susceptible to the DRAM "rowhammer"
problem. It runs as an unprivileged userland process on x86-64 Linux.
It works by inducing bit flips in page table entries (PTEs).
For development purposes, the exploit program has a test mode in which
it induces a bit flip by writing to /dev/mem. qemu_runner.py will run
the exploit program in test mode in a QEMU VM. It assumes th
arXiv
An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
arxiv_fulltext·2023-04-18
An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems
April 1, 2023
## Abstract
Vulnerability management strategy, from both organizational and public policy perspectives, hinges on an understanding of the supply of undiscovered vulnerabilities.
If the number of undiscovered vulnerabilities is small enough, then a reasonable investment strategy would be to focus on finding and removing the remaining undiscovered vulnerabilities.
If the number of undiscovered vulnerabilities is and will continue to be large, then a better investment strategy would be to focus on quick patch dissemination and engineering resilient systems.
This paper examines a paradigm, namely that the number of undiscovered vulnerabilities is manageably small, through the lens of mathematical concepts from the theory of computing.
From this perspective, we find little suppo
Bugzilla
CVE-2015-0565 nacl: allowed CLFLUSH instruction could result in rowhammer attack leading to priviledge escalation
bugzilla·2020-03-06·CVSS 10.0
CVE-2015-0565 [CRITICAL] CVE-2015-0565 nacl: allowed CLFLUSH instruction could result in rowhammer attack leading to priviledge escalation
CVE-2015-0565 nacl: allowed CLFLUSH instruction could result in rowhammer attack leading to priviledge escalation
In NaCl 2015 the CLFLUSH instruction is allowed, which could result in rowhammer attack leading to priviledge escalation
External Reference:
https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.htmlhttps://www.exploit-db.com/exploits/36310/https://www.exploit-db.com/exploits/36311/https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.htmlhttps://www.exploit-db.com/exploits/36310/https://www.exploit-db.com/exploits/36311/
2020-02-25
Published