Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



New RAMBleed Attack Allows Access to Sensitive Data in Memory

New DRAM Side-Channel Attack ‘RAMBleed’ Allows Hackers to Steal Sensitive Data

A team of researchers representing several universities has disclosed the details of RAMBleed, a new type of side-channel attack on dynamic random-access memory (DRAM) that can be used to obtain potentially sensitive data from a device’s memory.

New DRAM Side-Channel Attack ‘RAMBleed’ Allows Hackers to Steal Sensitive Data

A team of researchers representing several universities has disclosed the details of RAMBleed, a new type of side-channel attack on dynamic random-access memory (DRAM) that can be used to obtain potentially sensitive data from a device’s memory.

RAMBleed, which is tracked as CVE-2019-0174, is based on Rohammer, a technique whose security impact was first demonstrated in 2015 by Google Project Zero.

Rowhammer attacks are possible due to the fact that memory cells in DRAM chips have been placed very close together in an effort to increase capacity and decrease size. This makes it more difficult to prevent cells from electrically interacting with each other and researchers have demonstrated that repeatedly accessing specific memory locations can cause bit flips.RAMBleed

Security experts have previously demonstrated that these bit flips can be exploited for privilege escalation. However, researchers from the University of Michigan, Graz University of Technology and University of Adelaide have now shown that an attacker with limited privileges can use a Rowhammer attack to deduce bits in nearby rows, including data associated with other processes and the kernel.

Previous Rowhammer attacks relied on write side-channels, which involve persistent bit flips that can be mitigated by error-correcting code (ECC) memory. Researchers say RAMBleed uses Rowhammer as a read side-channel and it does not require persistent bit flips, allowing it to bypass ECC.

“Rowhammer induced bit flips are data dependent, i.e. a bit is more likely to flip when the bits above and below it have the opposite charge. This creates a data-dependent side channel, wherein an attacker can deduce the values of bits in nearby rows by observing bit flips in her own memory rows. Finally, as the data in nearby rows might belong to a different process, this leakage breaks the isolation boundaries enforced by the operating system,” the researchers explained.

“To exploit this effect, we developed novel memory massaging techniques to carefully place the victim’s secret data in the rows above and below the attacker’s memory row. This causes the bit flips in the attacker’s rows to depend on the values of the victim’s secret data. The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim’s secret data,” they added.

The researchers who discovered RAMBleed demonstrated its impact by attacking OpenSSH and leaking a 2048-bit RSA key. While this sounds serious, they have highlighted that OpenSSH was merely a convenient target for demonstrating RAMBleed and it’s not more vulnerable compared to other software.

RAMBleed attacks work against devices that use DDR3 and DDR4 memory modules. “We suspect that many classes of computers are susceptible to RAMBleed,” the researchers said.

As for mitigations, researchers recommend upgrading memory modules to DDR4 with targeted row refresh (TRR) enabled; this feature does not completely block Rowhammer attacks, but it does make them more difficult to carry out in practice.

“Memory manufacturers can help mitigate this issue by more rigorously testing for faulty DIMMs. Furthermore, publicly documenting vendor specific TRR implementations will facilitate a stronger development process as security researchers probe such implementations for weaknesses,” said the researchers.

There is no evidence that RAMBleed has been exploited in the wild. However, the experts noted that commercial security software is unlikely to be able to detect these types of attacks.

Oracle has released an advisory for RAMBleed and other vendors will likely do the same. Oracle says its servers and infrastructure are not impacted due to the use of mitigations such as TRR, and the company believes no additional software patches will be needed.

Related: Android Phones Vulnerable to Remote Rowhammer Attack via GPU

Related: Researchers Devise Rowhammer Attacks Against Latest Android Versions

Related: New Rowhammer Attack Bypasses Existing Defenses

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet