Current memory systems continue to be susceptible to Rowhammer attacks - Evidenced by the Phoenix root privilege escalation, Rowhammer persists in breaching DDR5 security protections
In a groundbreaking discovery, scientists from ETH Zurich's Computer Security Group (COMSEC) and Google have unveiled a proof-of-concept attack on DDR5 RAM, named Phoenix. The attack, with the CVE number 2025-6202, bypasses DDR5's preventive measures for Rowhammer-style attacks and neither Error Correction Code (ECC) nor Over-Provisioned Error Correction Code (ODECC) provide effective protection.
The researchers highlighted that the Transition Row Refresh (TRR) mechanism, which is designed to maintain the integrity of DDR5 memory, does not keep an exact count of memory row accesses, making it easy to exploit. This vulnerability can lead to bit-flips in memory, resulting in a set of vulnerabilities that includes high-level privilege escalation.
To demonstrate the attack's potential, the team tested Phoenix on an AMD Zen 4 platform against 15 SK hynix DDR5 DIMMs from 2021-2024. The results were concerning, with a 100% success rate in replicating attacks that manipulate Page Table Entries (PTE), a 73% chance of extracting SSH login keys, and a 33% probability of gaining root access.
In response to these vulnerabilities, the JEDEC Solid State Technology Association announced the Per-Row Activation Counting (PRAC) standard for DDR5 RAM in April 2024. This standard is aimed at enhancing DRAM data integrity and mitigating Rowhammer attacks. PRAC keeps an accurate count of sequential accesses to a memory row and alerts the host system if a limit is exceeded.
The upcoming LPDDR6 standard will integrate PRAC from the start, offering a more secure solution for future devices. As of the date of publication, an impending BIOS update for AMD client systems is expected to address the Phoenix attack's issue on the tested SK hynix DIMMs.
It's important to note that the PRAC standard was not developed by Google or ETH Zurich, but by JEDEC. The research conducted by the team is part of a Google-led effort for better RAM security in cooperation with JEDEC, the consortium that defines memory standards.
Increasing the row refresh rate (tREFI) in the machine's UEFI by 3 times down to around 1.3 μs makes the attacks unlikely to succeed, but this comes at a steep cost of an 8.4% performance hit.
COMSEC has previously cooperated with VUSec to create the TRRespass attack, further emphasising the ongoing need for improved memory security. The Phoenix attack serves as a reminder of the ever-evolving landscape of cybersecurity threats and the importance of continuous research and development in mitigating these risks.
Read also:
- Hackers Utilize GOLD SALEM to Infiltrate Networks and Evade Security Measures, Deploying Warlock Ransomware
- Strengthening Resistance Against Combined Risks in an Age Characterized by Authoritarian Technology
- Artificial Intelligence with independent agency could potentially intervene in cybercrises.
- Autocrrypt and Cohda Wireless Collaborate for Secure Vehicle-to-Everything Communication
